{
	"id": "05272a11-7068-4fcf-a878-26f8658ac394",
	"created_at": "2026-04-06T00:19:52.151377Z",
	"updated_at": "2026-04-10T03:20:05.638678Z",
	"deleted_at": null,
	"sha1_hash": "d40b799d24a1863fcf22a703d146a5e48b19cbff",
	"title": "Cyble - AbereBot Returns As Escobar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1536536,
	"plain_text": "Cyble - AbereBot Returns As Escobar\r\nPublished: 2022-03-10 · Archived: 2026-04-05 14:36:35 UTC\r\nThis Aberebot banking trojan steals data from Google Authenticator and taking control of compromised device\r\nscreens.\r\nDuring Cyble’s routine Open-Source Intelligence (OSINT) research, we came across a  Twitter post wherein\r\nresearchers mentioned a malware that has a name and icon similar to the legitimate anti-virus app, McAfee. While\r\nanalyzing the malware we observed that the package name of the malicious app was com.escobar.pablo. Further\r\nresearch helped us identify this malware as a new variant of the popular banking Trojan, Aberebot. Besides stealing\r\nsensitive information such as login credentials using phishing overlays, Aberebot has also targeted customers\r\nof 140+ banks and financial institutions across 18 countries.\r\nCyble Research Labs has identified new features in this Aberebot variant, such as stealing data from Google\r\nAuthenticator and taking the control of compromised device screens using VNC, etc. Threat Actors (TAs) have\r\nnamed the new variant as Escobar and published the feature details of the variant in a cybercrime forum, as shown\r\nin the figure below.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 1 of 12\n\nFigure 1- Darkweb Post About Escobar\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name:  McAfee\r\nPackage Name: com.escobar.pablo\r\nSHA256 Hash: a9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f\r\nFigure 2 shows the metadata information of an application.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 2 of 12\n\nFigure 2 – App Metadata Information\r\nThe figure below shows the application icon and name displayed on the Android device.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 3 of 12\n\nFigure 3 – App Icon and Name\r\nManifest Description\r\nThe malware requests users for 25 different permissions, of which it abuses 15. These dangerous permissions are\r\nlisted below.\r\nPermissions Description\r\nREAD_SMS Access SMSes from the victim’s device.\r\nRECEIVE_SMS Intercept SMSes received on the victim’s device\r\nREAD_CALL_LOG Access Call Logs\r\nREAD_CONTACTS Access phone contacts\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 4 of 12\n\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current cellular\r\nnetwork information, the phone number and the serial\r\nnumber of the phone, the status of any ongoing calls, and a\r\nlist of any Phone Accounts registered on the device.\r\nRECORD_AUDIO\r\nAllows the app to record audio with the microphone,\r\nwhich has the potential to be misused by attackers\r\nACCESS_COARSE_LOCATION\r\nAllows the app to get the approximate location of the\r\ndevice network sources such as cell towers and Wi-Fi.\r\nACCESS_FINE_LOCATION\r\nAllows the device’s precise location to be detected by\r\nusing the Global Positioning System (GPS).\r\nSEND_SMS Allows an application to send SMS messages.\r\nCALL_PHONE\r\nAllows an application to initiate a phone call without\r\ngoing through the Dialer user interface for the user to\r\nconfirm the call.\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files in the device’s\r\nexternal storage\r\nREAD_EXTERNAL_STORAGE\r\nAllows the app to read the contents of the device’s external\r\nstorage\r\nWRITE_SMS Allows the app to modify or delete SMSes\r\nGET_ACCOUNTS\r\nAllows the app to get the list of accounts used by the\r\nphone\r\nDISABLE_KEYGUARD\r\nAllows the app to disable the keylock and any associated\r\npassword security\r\nWe observed a defined launcher activity in the malicious app’s manifest file, which loads the first screen of the\r\napplication, as shown in Figure 4.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 5 of 12\n\nFigure 4 – Launcher Activity\r\nSource Code Review\r\nOur static analysis indicated that the malware steals sensitive data such as Contacts, SMSes, Call logs, and device\r\nlocation. Besides recording calls and audio, the malware also deletes files, sends SMSes, makes calls, and takes\r\npictures using the camera, etc., based on the commands received from the C\u0026C server.\r\nThe code snippet shown below is used by the malware to access the contacts data such as phone numbers and email\r\naddresses from the victim’s device, as shown in Figure 5.\r\nFigure 5 – Code to Collect Contacts Data\r\nThe code shown in Figure 6 is used by the malware to collect SMSes from the device‘s inbox and upload them to\r\nthe C\u0026C server.\r\nFigure 6 – Code to Collect Inbox SMSs\r\nThe malware collects incoming SMSes from the device and uploads them to the C\u0026C server, as shown in Figure 7.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 6 of 12\n\nFigure 7 – Code for collecting Incoming SMSs\r\nThe code snippet shown below depicts the malware’s ability to collect call logs from the device and upload it to the\r\nC\u0026C server.\r\nFigure 8 – Code to Collect Call Logs\r\nFigure 9 showcases the code that illustrates the malware‘s ability to steal application key logs.\r\nFigure 9 – Code to steal key logs\r\nIn the below image, we see the code that is used by the malware to record audio from an infected device based on\r\nthe TA’s command.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 7 of 12\n\nFigure 10 – Code to records Audio\r\nOn the TA’s command, the malware tries to steal Google authenticator codes, as shown below.\r\nFigure 11 – Steals Google Authenticator Code\r\nThe Escobar malware variant also uses VNC Viewer to remotely control the screens of an infected device, as shown\r\nbelow.\r\nFigure 12 – Uses VNC Viewer to Control Device Screen\r\nThe malware can take pictures and also has the code to send text SMSes to a specific phone number or to all the\r\ncontacts saved in the victim’s device without the user’s knowledge. Refer to figure 13 for the code used by the\r\nmalware for this purpose.\r\nFigure 13 – Code to take Pictures and send SMSs\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 8 of 12\n\nActing to the commands given by the TAs C\u0026C, the Escobar malware is capable of injecting URLs in the victim’s\r\ndevice, as shown below.\r\nFigure 14 – Injects URLs\r\nThe malware can also steal media files from the victim’s device, as shown in the below code snippet.\r\nFigure 15 – Steals Files on the Device\r\nThe image below depicts the malware’s ability to collect device location.\r\nFigure 16 – Code to Collects Device Location\r\nFigure 17 showcases the code snippet used by the Escobar malware to monitor the victim’s device notifications.\r\nFigure 17 – Code for monitoring device notifications\r\nThe malware can also kill itself whenever it gets the commands from the C\u0026C server.\r\nFigure 18 – Code to kill Itself\r\nBelow are the commands used by the TAs to control the infected device:\r\nCommand Description\r\nTake Photo Capture images from the device’s camera\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 9 of 12\n\nSend SMS Send SMS to a particular number\r\nSend SMS to All Contacts Send SMS to all the contact numbers saved in the device\r\nInject a web page Inject a URL\r\nDownload File Download media files from the victim device\r\nKill Bot Delete itself\r\nUninstall an app Uninstall an application\r\nRecord Audio Record device audio\r\nGet Google Authenticator Codes Steal Google Authenticator codes\r\nStart VNC Control device screen\r\nConclusion\r\nBanking threats are increasing with every passing day and growing in sophistication. Escobar is one such example.\r\nThe newly added features in the Escobar malware allow the malicious app to steal information from the\r\ncompromised device. According to our research, these types of malware are only distributed via sources other than\r\nGoogle Play Store. As a result, practicing cyber hygiene across mobile devices and online banking applications is a\r\ngood way to prevent this malware from compromising your system.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 10 of 12\n\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat to do when you are infected?\r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMSes, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean.\r\nInitial Access T1444 Masquerade as Legitimate Application\r\nExecution T1575 Native Code\r\nCollection T1433 Access Call Log\r\nCollection T1412 Capture SMS Messages\r\nCollection T1432 Access Contact List\r\nCollection T1429 Capture Audio\r\nCollection T1512 Capture Camera\r\nCollection T1533 Data from Local System\r\nCollection T1430 Location Tracking\r\nCommand and Control T1436 Commonly Used Ports\r\nIndicators of compromise\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 11 of 12\n\na9d1561ed0d23a5473d68069337e2f8e7862f7b72b74251eb63ccc883ba9459f SHA256\r\nEscobar\r\nAPK\r\n22e943025f515a398b2f559c658a1a188d0d889f SHA1\r\nEscobar\r\nAPK\r\nd57e1c11f915b874ef5c86cedb25abda MD5\r\nEscobar\r\nAPK\r\nSource: https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nhttps://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/"
	],
	"report_names": [
		"aberebot-returns-as-escobar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d40b799d24a1863fcf22a703d146a5e48b19cbff.pdf",
		"text": "https://archive.orkl.eu/d40b799d24a1863fcf22a703d146a5e48b19cbff.txt",
		"img": "https://archive.orkl.eu/d40b799d24a1863fcf22a703d146a5e48b19cbff.jpg"
	}
}