Please note that the Android Bank Trojan Escobar is making a comeback

Following the recent upsurge of the famous botnet Emotet, another Android banking Trojan, Aberebot, is also on the rise. According to the Bleeping Computer website, Aberebot is returning under the name “Escobar” and iterating on new features, including stealing Google Authenticator multi-factor authentication code.

In February, Bleeping Computer discovered on a Russian-language hacking forum that Aberebot developers were advertising their new version of the malware under the name “Escobar Bot Android Banking Trojan.” Developers rent beta versions of the malware for $3,000 per month from up to 5 customers who can test the new version of the software for 3 days, and the developer plans to increase the price of the malware to $5,000 after development is complete.

On March 3, security research team MalwareHunterTeam discovered suspicious APK based on Escobar masquerading as a McAfee application and warned it was stealthy from the vast majority of anti-virus engines.

Like most banking Trojans, Escobar hijacks users’ interactions with e-banking apps and websites by overriding login forms and steals account credentials from victims. The malware also contains several other features that make it effective for any Android version, even if overlay injection is somehow blocked.

The malware requests 25 permissions from the device, 15 of which are used for malicious purposes, including accessibility, audio recording, reading SMS, read/write storage, getting a list of accounts, disabling keylocks, making calls, and accessing precise device locations. The malware uploads everything it collects to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator code.

Get the Google Authenticator code

Two-factor authentication codes are delivered via SMS or stored in HMAC software-based tools such as Google Authenticator and rotated. The latter is considered more secure because it is not susceptible to SIM swapping attacks but still fails to prevent malware from invading user space.

In addition, the attackers also used VNC Viewer, a cross-platform screen sharing utility with remote control functions, to control the user’s device throughout the process.

In addition to the above, Aberebot can also record audio clips or take screenshots and leak both to actor-controlled C2, a complete list of supported commands is listed below.


It’s too early to tell how popular the new Escobar is in the cybercrime community, especially at relatively high prices. Still, it’s now powerful enough to appeal to a wider range of threat actors.

In general, users can minimize the chances of getting Android malware by avoiding installing APKs outside of Google Play, using mobile security tools, and ensuring that Google Play Protect is enabled on their devices. Also, when installing a new app from any source, it’s important to be aware of unusual permission requests and monitor the app’s battery and network consumption statistics in the previous days to identify any suspicious patterns.