Connect with us

Hi, what are you looking for?

Cyber Security

Android malware Escobar steals your Google Authenticator MFA codes

The Aberebot Android banking trojan has returned under the name ‘Escobar’ with new features, including stealing Google Authenticator multi-factor authentication codes.

The new features in the latest Aberebot version also include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.

The main goal of the trojan is to steal enough information to allow the threat actors to take over victims’ bank accounts, siphon available balances, and perform unauthorized transactions.

Rebranded as Escobar

Using KELA‘s cyber-intelligence DARKBEAST platform, BleepingComputer found a forum post on a Russian-speaking hacking forum from February 2022 where the Aberebot developer promotes their new version under the name ‘Escobar Bot Android Banking Trojan.’

Seller's post on a darknet forum
Seller’s post on a darknet forum (KELA)

The malware author is renting the beta version of the malware for $3,000 per month to a maximum of five customers, with threat actors having the ability to test the bot for free for three days.

The threat actor plans on raising the malware’s price to $5,000 after development is finished.

MalwareHunterTeam first spotted the suspicious APK on March 3, 2022, masqueraded as a McAfee app, and warned about its stealthiness against the vast majority of anti-virus engines.

https://twitter.com/malwrhunterteam/status/1499390775775293454?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1499390775775293454%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fandroid-malware-escobar-steals-your-google-authenticator-mfa-codes%2F

This was picked up by researchers at Cyble, who performed an analysis of the new ‘Escobar’ variant of the Aberebot trojan.

According to the same analysts, Aberebot first appeared in the wild in the summer of 2021, so the appearance of a new version indicates active development.

Old and new capabilities

Like most banking trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal credentials from victims.

The malware also packs several other features that make it potent against any Android version, even if the overlay injections are blocked in some manner.

The authors have expanded the set of targeted banks and financial institutions to a whopping 190 entities from 18 countries in the latest version.

The malware requests 25 permissions, of which 15 are abused for malicious purposes. Examples include accessibility, audio record, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device location.

Everything that the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes.

Code to snatch Google Authenticator codes
Code to snatch Google Authenticator codes (Cyble)

The above is enough to help the crooks overcome two-factor authentication obstacles when assuming control of e-banking accounts.

2FA codes arrive via SMS or are stored and rotated in HMAC software-based tools like Google’s Authenticator. The latter is considered safer due to not being susceptible to SIM swap attacks, but it’s still not protected from malware infiltrating the userspace.

Moreover, the addition of VNC Viewer, a cross-platform screen sharing utility with remote control features, gives the threat actors a new powerful weapon to do whatever they want when the device is unattended.

Advertisement. Scroll to continue reading.
VNC Viewer code in Aberebot
VNC Viewer code in Aberebot (Cyble)

Apart from the above, Aberebot can also record audio clips or take screenshots and exfiltrate both to the actor-controlled C2, with the complete list of supported commands listed below.

Table of Aberebot commands
Table of commands accepted by Aberebot (Cyble)

Should we be concerned?

It is still early to tell how popular the new Escobar malware will become in the cybercrime community, especially at a relatively high price. Nevertheless, it’s now powerful enough to entice a wider audience.

Also, its operational model, which involves random actors that can rent it, means its distribution channels and methods may vary greatly.

In general, you can minimize the chances of being infected with Android trojans by avoiding the installation of APKs outside of Google Play, using a mobile security tool, and ensuring that Google Play Protect is enabled on your device.

Additionally, when installing a new app from any source, pay attention to unusual requests for permissions and monitor the app’s battery and network consumption stats for the first few days to identify any suspicious patterns.

Source: https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files...

Cyber Security

A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging...

Cyber Security

Security researchers are warning of an Android malware named SMSFactory that adds unwanted costs to the phone bill by subscribing victims to premium services. The...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO