Escobar Android Malware

It has been reported that a newly surfaced Android financial malware, named as ‘Escobar’ is spreading as disguised antivirus app. It allows attackers to steal sensitive banking information such as user credentials, personal information and even steals one-time codes from Google Authenticator. The app can also steal SMS text messages and media files, make phone calls, track location, use the phone's camera, uninstall apps, inject new URLs into web browsers and use the VNC remote-desktop function to completely control the infected mobile device(s).

Infection Mechanism

'Escobar’ malware is reported to be distributed by cybercriminals using text messages containing links leading to compromised/malicious pages, drive-by-downloads, malicious emails, fake updates, etc. This new version of ‘Aberebot’ Android banking trojan has been disguised with a name and icon similar to the legitimate anti-virus app McAfee. Once installed, Escobar displays overlay login forms to hijack user interactions with e-banking apps and websites and steal credentials from victims. The malware also packs several other features that make it potent against any Android version, even if the overlay injections are blocked in some manner.

The malware requests 25 permissions, of which 15 are abused for malicious purposes. Examples include accessibility, audio record, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device location. The malware collects following information from the device like SMS call logs, key logs, notifications, and Google Authenticator codes and uploads to the C2 server. The VNC Viewer with remote control features might enable the threat actors to abuse the information to take over victims' bank accounts and perform unauthorized transactions.

Indicator of Compromise:

APK Metadata Info:

• Package Name: com.escobar[.]pablo

Hashes (SHA 256)

• a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f

Best Practices and remedial measures:

• Use genuine mobile security solutions that can protect devices against online threats, malicious applications, and even data loss.
• Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
• Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
• Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
• Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
• In settings, do not enable installation of apps from "Untrusted Sources".
• Exercise caution while visiting trusted/untrusted sites for clicking links.
• Install Android updates and patches as and when available from Android device vendors.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. Be careful of opening unsolicited and unexpected emails, especially those that call for urgency. In cases of genuine URLs, close out the e-mail and go to the organization’s website directly through browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
• Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
• Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users
• Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
• Confirm that the banking/financial app you’re using is the official, verified version.
• If anything looks awry or suddenly unfamiliar, check in with your bank’s/financial service provider's customer service team.
• Use two-factor authentication if it’s available.
• Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
• Refer to security best practices for mobile Phone users: http://www.csk.gov.in/documents/Mobile_phone_Security.pdf

References:

• https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/
• https://www.tomsguide.com/news/escobar-android-banking-trojan
• https://cybersecuritynews.com/android-malware-escobar/
• http://www.csk.gov.in/documents/Mobile_phone_Security.pdf