During Cyble’s routine Open-Source Intelligence (OSINT) research, we came across a Twitter post wherein researchers mentioned a malware that has a name and icon similar to the legitimate anti-virus app, McAfee. While analyzing the malware we observed that the package name of the malicious app was com.escobar.pablo. Further research helped us identify this malware as a new variant of the popular banking Trojan, Aberebot. Besides stealing sensitive information such as login credentials using phishing overlays, Aberebot has also targeted customers of 140+ banks and financial institutions across 18 countries.
Cyble Research Labs has identified new features in this Aberebot variant, such as stealing data from Google Authenticator and taking the control of compromised device screens using VNC, etc. Threat Actors (TAs) have named the new variant as Escobar and published the feature details of the variant in a cybercrime forum, as shown in the figure below.
APK Metadata Information
- App Name: McAfee
- Package Name: com.escobar.pablo
- SHA256 Hash: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f
Figure 2 shows the metadata information of an application.
The figure below shows the application icon and name displayed on the Android device.
The malware requests users for 25 different permissions, of which it abuses 15. These dangerous permissions are listed below.
|READ_SMS||Access SMSes from the victim’s device.|
|RECEIVE_SMS||Intercept SMSes received on the victim’s device|
|READ_CALL_LOG||Access Call Logs|
|READ_CONTACTS||Access phone contacts|
|READ_PHONE_STATE||Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.|
|RECORD_AUDIO||Allows the app to record audio with the microphone, which has the potential to be misused by attackers|
|ACCESS_COARSE_LOCATION||Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.|
|ACCESS_FINE_LOCATION||Allows the device’s precise location to be detected by using the Global Positioning System (GPS).|
|SEND_SMS||Allows an application to send SMS messages.|
|CALL_PHONE||Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call.|
|WRITE_EXTERNAL_STORAGE||Allows the app to write or delete files in the device’s external storage|
|READ_EXTERNAL_STORAGE||Allows the app to read the contents of the device’s external storage|
|WRITE_SMS||Allows the app to modify or delete SMSes|
|GET_ACCOUNTS||Allows the app to get the list of accounts used by the phone|
|DISABLE_KEYGUARD||Allows the app to disable the keylock and any associated password security|
We observed a defined launcher activity in the malicious app’s manifest file, which loads the first screen of the application, as shown in Figure 4.
Source Code Review
Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, Call logs, and device location. Besides recording calls and audio, the malware also deletes files, sends SMSes, makes calls, and takes pictures using the camera, etc., based on the commands received from the C&C server.
The code snippet shown below is used by the malware to access the contacts data such as phone numbers and email addresses from the victim’s device, as shown in Figure 5.
The code shown in Figure 6 is used by the malware to collect SMSes from the device‘s inbox and upload them to the C&C server.
The malware collects incoming SMSes from the device and uploads them to the C&C server, as shown in Figure 7.
The code snippet shown below depicts the malware’s ability to collect call logs from the device and upload it to the C&C server.
Figure 9 showcases the code that illustrates the malware‘s ability to steal application key logs.
In the below image, we see the code that is used by the malware to record audio from an infected device based on the TA’s command.
On the TA’s command, the malware tries to steal Google authenticator codes, as shown below.
The Escobar malware variant also uses VNC Viewer to remotely control the screens of an infected device, as shown below.
The malware can take pictures and also has the code to send text SMSes to a specific phone number or to all the contacts saved in the victim’s device without the user’s knowledge. Refer to figure 13 for the code used by the malware for this purpose.
Acting to the commands given by the TAs C&C, the Escobar malware is capable of injecting URLs in the victim’s device, as shown below.
The malware can also steal media files from the victim’s device, as shown in the below code snippet.
The image below depicts the malware’s ability to collect device location.
Figure 17 showcases the code snippet used by the Escobar malware to monitor the victim’s device notifications.
The malware can also kill itself whenever it gets the commands from the C&C server.
Below are the commands used by the TAs to control the infected device:
|Take Photo||Capture images from the device’s camera|
|Send SMS||Send SMS to a particular number|
|Send SMS to All Contacts||Send SMS to all the contact numbers saved in the device|
|Inject a web page||Inject a URL|
|Download File||Download media files from the victim device|
|Kill Bot||Delete itself|
|Uninstall an app||Uninstall an application|
|Record Audio||Record device audio|
|Get Google Authenticator Codes||Steal Google Authenticator codes|
|Start VNC||Control device screen|
Banking threats are increasing with every passing day and growing in sophistication. Escobar is one such example. The newly added features in the Escobar malware allow the malicious app to steal information from the compromised device. According to our research, these types of malware are only distributed via sources other than Google Play Store. As a result, practicing cyber hygiene across mobile devices and online banking applications is a good way to prevent this malware from compromising your system.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSes, or emails.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1476||Deliver Malicious App via Other Mean.|
|Initial Access||T1444||Masquerade as Legitimate Application|
|Collection||T1433||Access Call Log|
|Collection||T1412||Capture SMS Messages|
|Collection||T1432||Access Contact List|
|Collection||T1533||Data from Local System|
|Command and Control||T1436||Commonly Used Ports|
Indicators of compromise