{
	"id": "9e9fdc8c-96bf-4ba5-938e-d8717b04efa9",
	"created_at": "2026-04-06T00:11:20.638778Z",
	"updated_at": "2026-04-10T03:30:32.807122Z",
	"deleted_at": null,
	"sha1_hash": "7a7e369e9f04c7da0b56e7d3c9886b0e6a926c6e",
	"title": "Android malware Escobar steals your Google Authenticator MFA codes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2368296,
	"plain_text": "Android malware Escobar steals your Google Authenticator MFA codes\r\nBy Bill Toulas\r\nPublished: 2022-03-12 · Archived: 2026-04-05 21:32:20 UTC\r\nThe Aberebot Android banking trojan has returned under the name 'Escobar' with new features, including stealing Google\r\nAuthenticator multi-factor authentication codes.\r\nThe new features in the latest Aberebot version also include taking control of the infected Android devices using VNC,\r\nrecording audio, and taking photos, while also expanding the set of targeted apps for credential theft.\r\nThe main goal of the trojan is to steal enough information to allow the threat actors to take over victims' bank accounts,\r\nsiphon available balances, and perform unauthorized transactions.\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nRebranded as Escobar\r\nUsing KELA's cyber-intelligence DARKBEAST platform, BleepingComputer found a forum post on a Russian-speaking\r\nhacking forum from February 2022 where the Aberebot developer promotes their new version under the name 'Escobar Bot\r\nAndroid Banking Trojan.'\r\nSeller's post on a darknet forum (KELA)\r\nThe malware author is renting the beta version of the malware for $3,000 per month to a maximum of five customers, with\r\nthreat actors having the ability to test the bot for free for three days.\r\nThe threat actor plans on raising the malware's price to $5,000 after development is finished.\r\nMalwareHunterTeam first spotted the suspicious APK on March 3, 2022, masqueraded as a McAfee app, and warned about\r\nits stealthiness against the vast majority of anti-virus engines.\r\nThis was picked up by researchers at Cyble, who performed an analysis of the new 'Escobar' variant of the Aberebot trojan.\r\nAccording to the same analysts, Aberebot first appeared in the wild in the summer of 2021, so the appearance of a new\r\nversion indicates active development.\r\nOld and new capabilities\r\nLike most banking trojans, Escobar displays overlay login forms to hijack user interactions with e-banking apps and\r\nwebsites and steal credentials from victims.\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 3 of 6\n\nThe malware also packs several other features that make it potent against any Android version, even if the overlay injections\r\nare blocked in some manner.\r\nThe authors have expanded the set of targeted banks and financial institutions to a whopping 190 entities from 18 countries\r\nin the latest version.\r\nThe malware requests 25 permissions, of which 15 are abused for malicious purposes. Examples include accessibility, audio\r\nrecord, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device\r\nlocation.\r\nEverything that the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and\r\nGoogle Authenticator codes.\r\nCode to snatch Google Authenticator codes (Cyble)\r\nThe above is enough to help the crooks overcome two-factor authentication obstacles when assuming control of e-banking\r\naccounts.\r\n2FA codes arrive via SMS or are stored and rotated in HMAC software-based tools like Google's Authenticator. The latter is\r\nconsidered safer due to not being susceptible to SIM swap attacks, but it's still not protected from malware infiltrating the\r\nuserspace.\r\nMoreover, the addition of VNC Viewer, a cross-platform screen sharing utility with remote control features, gives the threat\r\nactors a new powerful weapon to do whatever they want when the device is unattended.\r\nVNC Viewer code in Aberebot (Cyble)\r\nApart from the above, Aberebot can also record audio clips or take screenshots and exfiltrate both to the actor-controlled C2,\r\nwith the complete list of supported commands listed below.\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 4 of 6\n\nTable of commands accepted by Aberebot (Cyble)\r\nShould we be concerned?\r\nIt is still early to tell how popular the new Escobar malware will become in the cybercrime community, especially at a\r\nrelatively high price. Nevertheless, it's now powerful enough to entice a wider audience.\r\nAlso, its operational model, which involves random actors that can rent it, means its distribution channels and methods may\r\nvary greatly.\r\nIn general, you can minimize the chances of being infected with Android trojans by avoiding the installation of\r\nAPKs outside of Google Play, using a mobile security tool, and ensuring that Google Play Protect is enabled on your device.\r\nAdditionally, when installing a new app from any source, pay attention to unusual requests for permissions and monitor the\r\napp's battery and network consumption stats for the first few days to identify any suspicious patterns.\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nhttps://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"
	],
	"report_names": [
		"android-malware-escobar-steals-your-google-authenticator-mfa-codes"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a7e369e9f04c7da0b56e7d3c9886b0e6a926c6e.pdf",
		"text": "https://archive.orkl.eu/7a7e369e9f04c7da0b56e7d3c9886b0e6a926c6e.txt",
		"img": "https://archive.orkl.eu/7a7e369e9f04c7da0b56e7d3c9886b0e6a926c6e.jpg"
	}
}