Home / Threat Intelligence bulletins / Android malware 'Escobar' steals Google Authenticator MFA codes


Escobar was first seen on the 3rd of March by the security researchers MalwareHunterTeam. Escobar is based on the Aberebot Android banking trojan. However, it has been improved and is now advertised for rental, with new features added, which include the functionality to steal Google Authenticator multifactor authentication (MFA) codes.


The application gains access to different areas of an Android mobile device, including being able to capture sound and images, send SMS, inject URLs, and read Google Authenticator codes. Escobar has also been seen to initiate a VNC Viewer process which can be utilised to control user devices. VNC Viewer has been utilised as this will allow the threat actor to subvert access to any e-banking present on the device.

Impacted Devices

All Android versions.

Vulnerability Detection

Recommendation: to monitor Mobile/Wi-Fi usage of applications.
Unexpected permissions sought, such as ‘Take Photo’, ‘Send SMS’, ‘Microphone’, which are used to record users.

Containment, Mitigations & Remediations

For now, the recommendation is to avoid installation of APK’s outside of Google Play, enable Google Play Protect and the use of a mobile security tool.

If detected, researchers recommend:
– Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
– Perform a factory reset.
– Remove the application in case a factory reset is not possible.
– Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

Indicators of Compromise

Indicators Indicator Type Description
a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f SHA256 Escobar APK
22e943025f515a398b2f559c658a1a188d0d889f SHA1 Escobar APK
d57e1c11f915b874ef5c86cedb25abda MD5 Escobar APK

Commands used by Threat Actor to control device

Take Photo Capture images from the device’s camera
Send SMS Send SMS to a particular number
Send SMS to All Contacts Send SMS to all the contact numbers saved in the device
Inject a web page Inject a URL
Download File Download media files from the victim device
Kill Bot Delete itself
Uninstall an app Uninstall an application
Record Audio Record device audio
Get Google Authenticator Codes Steal Google Authenticator codes
Start VNC Control device screen

Threat Landscape

It has been reported in the media that Escobar is currently capable of targeting 190 different banks and institutions across 18 countries.

Mitre Methodologies

T1476 – Deliver Malicious App via Other Mean
T1444 – Masquerade as Legitimate Application
T1575 – Native Code
T1433 – Access Call Log
T1412 – Capture SMS Messages
T1432 – Access Contact List
T1429 – Capture Audio
T1512 – Capture Camera
T1533 -Data from Local System
T1430 – Location Tracking
T1436 – Commonly Used Ports

Further Information

Bleeping Computer