December 8, 2023

Android banking trojan Aberebot first spotted last year, is back with a new name “Escobar” and with new features, including stealing Google Authenticator MFA codes, recording audio and taking photos and taking control of VNC which allows to steal bank accounts and performing unauthorized transactions . The new version expanded to 190 entities in 18 countries

The suspicious APK file, disguised as a McAfee application, and warned of its stealthiness against the vast majority of antivirus engines.


The beat version of the malware has been rented for $3,000 per month to up to five customers, with threat actors being able to test the bot for free for three days.

Message from the seller on a darknet forum

Escobar displays overlaid login forms to hijack user interactions with online banking apps and websites and steal victims’ credentials.

The malware asks for 25 permissions, 15 of which are used for malicious purposes. Examples include accessibility, audio recording, reading SMS, read/write storage, getting account list, disabling key lock, calls and location access accuracy of the device.

Everything the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes.

Code to retrieve Google Authenticator codes

The above is enough to help scammers overcome two-factor authentication hurdles when taking control of online bank accounts.

2FA codes arrive via SMS or are stored and rotated in HMAC software tools such as Google’s Authenticator. The latter is considered more secure as it is not susceptible to SIM card swapping attacks, but it is still not protected against malware infiltrating the user space.


The addition of VNC Viewer, a cross-platform screen sharing utility with remote control capabilities, gives hackers a powerful new weapon to do whatever they want when the device is unattended.

Aberebot Command Table

It’s in earlier stages of development, the enhanced feature set shows how powerful it is. Since it’s of hiring model , the distribution methods vary.

The risk of these types can be avoided by installing apps only from play store and use security tools to monitor unusual activities and block automatically

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.