Cyble-Aberebot-Malware-Escobar

AbereBot Returns as Escobar

During Cyble’s routine Open-Source Intelligence (OSINT) research, we came across a  Twitter post wherein researchers mentioned a malware that has a name and icon similar to the legitimate anti-virus app, McAfee. While analyzing the malware we observed that the package name of the malicious app was com.escobar.pablo. Further research helped us identify this malware as a new variant of the popular banking Trojan, Aberebot. Besides stealing sensitive information such as login credentials using phishing overlays, Aberebot has also targeted customers of 140+ banks and financial institutions across 18 countries.

Cyble Research Labs has identified new features in this Aberebot variant, such as stealing data from Google Authenticator and taking the control of compromised device screens using VNC, etc. Threat Actors (TAs) have named the new variant as Escobar and published the feature details of the variant in a cybercrime forum, as shown in the figure below.

Figure 1- Darkweb Post About Escobar

Technical Analysis

APK Metadata Information

  • App Name:  McAfee
  • Package Name: com.escobar.pablo
  • SHA256 Hash: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f

Figure 2 shows the metadata information of an application.

Figure 2 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 3 – App Icon and Name

Manifest Description

The malware requests users for 25 different permissions, of which it abuses 15. These dangerous permissions are listed below.

PermissionsDescription
READ_SMSAccess SMSes from the victim’s device.
RECEIVE_SMSIntercept SMSes received on the victim’s device
READ_CALL_LOGAccess Call Logs
READ_CONTACTSAccess phone contacts
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
RECORD_AUDIOAllows the app to record audio with the microphone, which has the potential to be misused by attackers
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
ACCESS_FINE_LOCATIONAllows the device’s precise location to be detected by using the Global Positioning System (GPS).
SEND_SMSAllows an application to send SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files in the device’s external storage
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
WRITE_SMSAllows the app to modify or delete SMSes
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
DISABLE_KEYGUARDAllows the app to disable the keylock and any associated password security

We observed a defined launcher activity in the malicious app’s manifest file, which loads the first screen of the application, as shown in Figure 4.

Figure 4 – Launcher Activity

Source Code Review

Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, Call logs, and device location. Besides recording calls and audio, the malware also deletes files, sends SMSes, makes calls, and takes pictures using the camera, etc., based on the commands received from the C&C server.

The code snippet shown below is used by the malware to access the contacts data such as phone numbers and email addresses from the victim’s device, as shown in Figure 5.

Figure 5 – Code to Collect Contacts Data

The code shown in Figure 6 is used by the malware to collect SMSes from the device‘s inbox and upload them to the C&C server.

Figure 6 – Code to Collect Inbox SMSs

The malware collects incoming SMSes from the device and uploads them to the C&C server, as shown in Figure 7.

Figure 7 – Code for collecting Incoming SMSs

The code snippet shown below depicts the malware’s ability to collect call logs from the device and upload it to the C&C server.

Figure 8 – Code to Collect Call Logs

Figure 9 showcases the code that illustrates the malware‘s ability to steal application key logs.

Figure 9 – Code to steal key logs

In the below image, we see the code that is used by the malware to record audio from an infected device based on the TA’s command.

Figure 10 – Code to records Audio

On the TA’s command, the malware tries to steal Google authenticator codes, as shown below.

Figure 11 – Steals Google Authenticator Code

The Escobar malware variant also uses VNC Viewer to remotely control the screens of an infected device, as shown below.

Figure 12 – Uses VNC Viewer to Control Device Screen

The malware can take pictures and also has the code to send text SMSes to a specific phone number or to all the contacts saved in the victim’s device without the user’s knowledge. Refer to figure 13 for the code used by the malware for this purpose.

Figure 13 – Code to take Pictures and send SMSs

Acting to the commands given by the TAs C&C, the Escobar malware is capable of injecting URLs in the victim’s device, as shown below.

Figure 14 – Injects URLs

The malware can also steal media files from the victim’s device, as shown in the below code snippet.

Figure 15 – Steals Files on the Device

The image below depicts the malware’s ability to collect device location.

Figure 16 – Code to Collects Device Location

Figure 17 showcases the code snippet used by the Escobar malware to monitor the victim’s device notifications.

Figure 17 – Code for monitoring device notifications

The malware can also kill itself whenever it gets the commands from the C&C server.

Figure 18 – Code to kill Itself

Below are the commands used by the TAs to control the infected device:

CommandDescription
Take PhotoCapture images from the device’s camera
Send SMSSend SMS to a particular number
Send SMS to All ContactsSend SMS to all the contact numbers saved in the device
Inject a web pageInject a URL
Download FileDownload media files from the victim device
Kill BotDelete itself
Uninstall an appUninstall an application
Record AudioRecord device audio
Get Google Authenticator CodesSteal Google Authenticator codes
Start VNCControl device screen

Conclusion

Banking threats are increasing with every passing day and growing in sophistication. Escobar is one such example. The newly added features in the Escobar malware allow the malicious app to steal information from the compromised device. According to our research, these types of malware are only distributed via sources other than Google Play Store. As a result, practicing cyber hygiene across mobile devices and online banking applications is a good way to prevent this malware from compromising your system.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSes, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1433Access Call Log
CollectionT1412Capture SMS Messages
CollectionT1432Access Contact List
CollectionT1429Capture Audio
CollectionT1512Capture Camera
CollectionT1533Data from Local System
CollectionT1430Location Tracking
Command and ControlT1436Commonly Used Ports

Indicators of compromise

IndicatorsIndicator TypeDescription
a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459fSHA256Escobar APK
22e943025f515a398b2f559c658a1a188d0d889fSHA1Escobar APK
d57e1c11f915b874ef5c86cedb25abdaMD5Escobar APK

Scroll to Top