'Escobar' Android malware steals your 2FA codes — and takes over your phone

News
By published

A new Android malware named after Pablo Escobar steals your passwords before completely taking over

Android malware
(Image credit: Shuterstock)

Update: Not even antivirus apps are safe for you to download, so be vigilant about what you install

An Android banking Trojan called "Escobar" masquerades as a McAfee antivirus app and steals one-time codes from Google Authenticator, once again demonstrating why you really don't want to install apps from outside the official Google Play store.

The app can also steal SMS text messages and media files, make phone calls, track your location, use the phone's camera, uninstall apps, inject new URLs into web browsers and, most devastating of all, use the VNC remote-desktop function to completely take over a phone.

That last feature means the crooks running this app can break into your online bank accounts and other online services such as email and social-media accounts without any assistance from you.

How to protect yourself from Escobar malware

To guard against Escobar and similar Android banking Trojans, here's what you need to do.

  • Install and use one of the best Android antivirus apps
  • Don't install apps from outside the Google Play store. Google Play isn't perfect, but other app stores are worse
  • Use the strongest two-factor-authentication (2FA) method each account offers. If you can use a USB security key on an account, go with that
  • Install and use an app from one of the best password managers, which can tell the difference between a real and fake login screen
  • Read the permissions each app requests before installing it
  • Watch out for unusually high battery or data consumption on your phone
  • Make sure Google Play Protect is turned on
  • Install and set up a couple of alternate authenticator apps, such as Authy or Microsoft Authenticator

No Escobar cocaine hippos included

Bug slayer MalwareHunterTeam spotted the fake McAfee app a couple of weeks ago and noticed that Android package name was "com.escobar.pablo", obviously named after the Colombian drug lord who was killed in 1993 and whose zoo animals escaped into the wild. 

The app was downloaded from the Discord content-delivery network CDN, which has become a major conduit for malware.

Researchers at threat-intelligence firm Cyble got hold of the malicious app and quickly saw that it was an evolution of the Aberebot banking Trojan, first spotted in mid-2021, which Cyble noted had already "targeted customers of 140+ banks and financial institutions across 18 countries."

But this new variant had some new tricks.

"Cyble Research Labs has identified new features in this Aberebot variant," the researchers wrote, "such as stealing data from Google Authenticator and taking the control of compromised device screens using VNC, etc."

What to do if you think you've been infected

If you suspect that your device has been infected by a banking Trojan such as Escobar, Cyble recommends some drastic measures.

  • Back up your media files, but NOT your apps
  • Turn off your mobile data and Wi-Fi
  • Remove your SIM card
  • Factory-reset your phone
  • Use your Google account to restore as much as of your personal data as you can
  • Check your bank balance for any suspicious activity, and report it to your bank if you find some

Malware for rent

Both Cyble and Bleeping Computer, which earlier reported this story, saw that on Feb. 14, an English-speaking malware developer using the handle "His Excellency" had posted an offer in a Russian-language criminal forum to "rent" a beta version of what was called "Escobar" for $3,000 a month. 

The "renters" would be in charge of packaging and distributing the malware. It appears at least one customer took up His Excellency's offer and put the fake McAfee app in the Discord CDN. (Here's our review of the real McAfee Android antivirus app.) 

Like many banking Trojans, Escobar steals usernames and passwords by placing lookalike screen overlays on top of legitimate banking apps. 

So if you have a Bank of America account, for example, a banking Trojan will wait until you fire up the Bank of America Android app, then overlay its own screen that looks exactly like the Bank of America login screen. 

When you type in your username and password, you're actually typing them into the banking Trojan, which sends them right away to its remote command-and-control server. However, good password managers won't recognize the fake login screen and won't automatically fill in the credentials.

Some banking Trojans try to capture authenticator-app 2FA codes in the same manner, but Escobar seems to go right to the source. It fires up Google Authenticator on command and records the screen, hoping to capture the codes before their 30-second lifespans are over.

Of course, once the crooks behind Escobar use VNC to control the phone, they can do almost anything they want, including using previously captured credentials to log into accounts and then using Google Authenticator to verify the logins.

See more Computing News
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
One phone with skull and crossbones on screen among several other clean-looking phones.
Malicious iPhone apps are spreading screenshot-reading malware on the Apple App Store — how to stay safe
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
A hacker typing on a computer
FBI issues serious warning to iPhone and Android users — stop doing this ASAP
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
half-life alyx
Latest Half-Life 3 rumors point to a 2025 release — and maybe pigs will fly
NFL Sunday Ticket logo for YouTube
NFL Sunday Ticket 2025 pricing revealed — and it's bad news
Ben Mendelsohn in Andor season 2
'Welcome to the Rebellion' — new ‘Andor’ season 2 trailer teases a darker edge
More about malware adware
A hacker typing quickly on a keyboard

Hackers are using this little-known file type to drop a nasty Windows worm on vulnerable PCs — how to stay safe
Malware

1.2 million people fooled by fake MidJourney Facebook page used to spread malware — don’t fall for this
Outdoor patio furniture

Wayfair's spring sale knocks up to 80% off patio furniture — 11 outdoor deals I'd shop for my home

See more latest
Most Popular
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
half-life alyx
Latest Half-Life 3 rumors point to a 2025 release — and maybe pigs will fly
NFL Sunday Ticket logo for YouTube
NFL Sunday Ticket 2025 pricing revealed — and it's bad news
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands
Ben Mendelsohn in Andor season 2
'Welcome to the Rebellion' — new ‘Andor’ season 2 trailer teases a darker edge
ChatGPT on iPhone
ChatGPT was down — updates on quick outage
Emma D'Arcy in House of the Dragon season 2
‘House of the Dragon’ season 3 has officially begun filming — what it could mean for the potential release window
Emilia Schüle dazzles as Marie-Antoinette in the new season on PBS
How to watch ‘Marie Antoinette’ season 2 online – stream the costume drama from anywhere