Get in Touch
Android malware ‘Escobar’ steals Google Authenticator MFA codes
Overview
Escobar was first seen on the 3rd of March by the security researchers MalwareHunterTeam. Escobar is based on the Aberebot Android banking trojan. However, it has been improved and is now advertised for rental, with new features added, which include the functionality to steal Google Authenticator multifactor authentication (MFA) codes.
Impact
The application gains access to different areas of an Android mobile device, including being able to capture sound and images, send SMS, inject URLs, and read Google Authenticator codes. Escobar has also been seen to initiate a VNC Viewer process which can be utilised to control user devices. VNC Viewer has been utilised as this will allow the threat actor to subvert access to any e-banking present on the device.
Impacted Devices
All Android versions.
Vulnerability Detection
Recommendation: to monitor Mobile/Wi-Fi usage of applications.
Unexpected permissions sought, such as ‘Take Photo’, ‘Send SMS’, ‘Microphone’, which are used to record users.
Containment, Mitigations & Remediations
For now, the recommendation is to avoid installation of APK’s outside of Google Play, enable Google Play Protect and the use of a mobile security tool.
If detected, researchers recommend:
– Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
– Perform a factory reset.
– Remove the application in case a factory reset is not possible.
– Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
Indicators of Compromise
| Indicators | Indicator Type | Description |
|---|---|---|
| a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f | SHA256 | Escobar APK |
| 22e943025f515a398b2f559c658a1a188d0d889f | SHA1 | Escobar APK |
| d57e1c11f915b874ef5c86cedb25abda | MD5 | Escobar APK |
Commands used by Threat Actor to control device
| Take Photo | Capture images from the device’s camera |
| Send SMS | Send SMS to a particular number |
| Send SMS to All Contacts | Send SMS to all the contact numbers saved in the device |
| Inject a web page | Inject a URL |
| Download File | Download media files from the victim device |
| Kill Bot | Delete itself |
| Uninstall an app | Uninstall an application |
| Record Audio | Record device audio |
| Get Google Authenticator Codes | Steal Google Authenticator codes |
| Start VNC | Control device screen |
Threat Landscape
It has been reported in the media that Escobar is currently capable of targeting 190 different banks and institutions across 18 countries.
Mitre Methodologies
T1476 – Deliver Malicious App via Other Mean
T1444 – Masquerade as Legitimate Application
T1575 – Native Code
T1433 – Access Call Log
T1412 – Capture SMS Messages
T1432 – Access Contact List
T1429 – Capture Audio
T1512 – Capture Camera
T1533 -Data from Local System
T1430 – Location Tracking
T1436 – Commonly Used Ports