The eScan Security Research Team discovered a banking Trojan named Aberebot during our Open-Source Threat Hunting. This Trojan is capable of stealing financial and personal information from infected devices.
Advanced anti-reverse engineering techniques and obfuscation techniques were used by malware authors to avoid detection. During our investigation, we discovered that the fake malicious application required some risky permissions.
Malware is capable of several things, including:
- Gathering contact details.
- Capturing OTPs from infected devices.
- Managing the installed applications on a mobile device.
- Using the C2 server’s commands to send SMS messages to the contacts.
- Stealing login information for banking websites and social media accounts.
- Using the BIND ACCESSIBILITY SERVICE to keep an eye on the victim’s device.
- Communicating with the command-and-control [C&C] server running on a Telegram bot account by means of the Telegram API.
In the last month, Android security researchers have analyzed a new banking malware named “Escobar.” This is the latest variant of the banking Trojan Aberebot. There are some new features in this malware’s new avatar, but it is not using Telegram for communication between computers. This Trojan aims to trick users and steal sensitive information from them.
This malware’s new variant (Escobar) has a legitimate-looking name and icon. There is an APK with the package name “com.escobar.pablo” which contains malware
The app is also capable of stealing sensitive data, including contacts, SMS, call logs, and device locations. In addition to recording calls and audio, the malware also deletes files, sends SMS, makes calls, and takes pictures using the camera based on commands from the malware author’s C&C server.
There are some updated extra features in the Escobar virus.
- To control an infected device remotely, it uses VNC Viewer.
- As instructed by the malware author, the malware attempts to steal Google authenticator codes.
- In addition, Escobar can kill itself whenever it receives a command from the C&C server.
Additionally, banking malware used different themes to trick the user. It has been reported that some applications use the Indian banking icon and pretend to be banking reward applications.
The malware can read and submit one-time generated passwords on behalf of the victim by stealing their credit and debit card information, net banking passwords, and SMS.
The data is encrypted before being sent to the C2 server. Malicious applications can be used by malware authors to execute commands on victims’ devices, including uploading SMS messages and call logs.
The malware can also delete all SMS messages from the victim’s mobile device after the SMSs have been uploaded to the C2 server.
eScan antivirus Detection
eScan antivirus detects these malicious applications with variants of “Android.Agent” and “Android.Banker” name.
Indicator of Compromises (IOCs):
You should use antivirus software such as “eScan Mobile Security for Android” to mitigate such threats and prevent malicious applications from being downloaded to your mobile device.
CONCLUSION:
According to the illustration above, Baking malware uses legitimate application icons to lure users. Banking Trojans can cause much damage to devices that have been infected. Banking Trojans are usually sold by threat actors on dark web forums and spread through third-party websites. It is important for users to be aware of such false claims and not download and install these applications from untrusted sources.
TIPS TO STAY SAFE
- Download software only from reliable websites like the Google Play Store.
- Please avoid clicking links received in messages or via social media platforms since they may be pointing to malicious websites.
- Always read the pop-up messages that the Android system displays before accepting new permissions.
- There is a trend among malware authors to spoof the names, icons, and developer names of original applications. Make sure you are extremely cautious when you download applications to your smartphone.
- If you want to ensure your phone is protected, use antivirus like eScan Mobile Security for Android.
