'Escobar' Android malware steals your 2FA codes — and takes over your phone

Android malware
(Image credit: Shuterstock)

Update: Not even antivirus apps are safe for you to download, so be vigilant about what you install

An Android banking Trojan called "Escobar" masquerades as a McAfee antivirus app and steals one-time codes from Google Authenticator, once again demonstrating why you really don't want to install apps from outside the official Google Play store.

The app can also steal SMS text messages and media files, make phone calls, track your location, use the phone's camera, uninstall apps, inject new URLs into web browsers and, most devastating of all, use the VNC remote-desktop function to completely take over a phone.

That last feature means the crooks running this app can break into your online bank accounts and other online services such as email and social-media accounts without any assistance from you.

How to protect yourself from Escobar malware

To guard against Escobar and similar Android banking Trojans, here's what you need to do.

  • Install and use one of the best Android antivirus apps
  • Don't install apps from outside the Google Play store. Google Play isn't perfect, but other app stores are worse
  • Use the strongest two-factor-authentication (2FA) method each account offers. If you can use a USB security key on an account, go with that
  • Install and use an app from one of the best password managers, which can tell the difference between a real and fake login screen
  • Read the permissions each app requests before installing it
  • Watch out for unusually high battery or data consumption on your phone
  • Make sure Google Play Protect is turned on
  • Install and set up a couple of alternate authenticator apps, such as Authy or Microsoft Authenticator

No Escobar cocaine hippos included

Bug slayer MalwareHunterTeam spotted the fake McAfee app a couple of weeks ago and noticed that Android package name was "com.escobar.pablo", obviously named after the Colombian drug lord who was killed in 1993 and whose zoo animals escaped into the wild. 

The app was downloaded from the Discord content-delivery network CDN, which has become a major conduit for malware.

Researchers at threat-intelligence firm Cyble got hold of the malicious app and quickly saw that it was an evolution of the Aberebot banking Trojan, first spotted in mid-2021, which Cyble noted had already "targeted customers of 140+ banks and financial institutions across 18 countries."

But this new variant had some new tricks.

"Cyble Research Labs has identified new features in this Aberebot variant," the researchers wrote, "such as stealing data from Google Authenticator and taking the control of compromised device screens using VNC, etc."

What to do if you think you've been infected

If you suspect that your device has been infected by a banking Trojan such as Escobar, Cyble recommends some drastic measures.

  • Back up your media files, but NOT your apps
  • Turn off your mobile data and Wi-Fi
  • Remove your SIM card
  • Factory-reset your phone
  • Use your Google account to restore as much as of your personal data as you can
  • Check your bank balance for any suspicious activity, and report it to your bank if you find some

Malware for rent

Both Cyble and Bleeping Computer, which earlier reported this story, saw that on Feb. 14, an English-speaking malware developer using the handle "His Excellency" had posted an offer in a Russian-language criminal forum to "rent" a beta version of what was called "Escobar" for $3,000 a month. 

The "renters" would be in charge of packaging and distributing the malware. It appears at least one customer took up His Excellency's offer and put the fake McAfee app in the Discord CDN. (Here's our review of the real McAfee Android antivirus app.) 

Like many banking Trojans, Escobar steals usernames and passwords by placing lookalike screen overlays on top of legitimate banking apps. 

So if you have a Bank of America account, for example, a banking Trojan will wait until you fire up the Bank of America Android app, then overlay its own screen that looks exactly like the Bank of America login screen. 

When you type in your username and password, you're actually typing them into the banking Trojan, which sends them right away to its remote command-and-control server. However, good password managers won't recognize the fake login screen and won't automatically fill in the credentials.

Some banking Trojans try to capture authenticator-app 2FA codes in the same manner, but Escobar seems to go right to the source. It fires up Google Authenticator on command and records the screen, hoping to capture the codes before their 30-second lifespans are over.

Of course, once the crooks behind Escobar use VNC to control the phone, they can do almost anything they want, including using previously captured credentials to log into accounts and then using Google Authenticator to verify the logins.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.