1. Home
  2. Software
  3. Escobar

Escobar

Escobar is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.[1]

ID: S1092
Type: MALWARE
Platforms: Android
Contributors: Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 28 September 2023
Last Modified: 11 October 2023
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

Escobar can monitor a device’s notifications.[1]
Mobile T1429 Audio Capture

Escobar can record audio from the device’s microphone.[1]
Mobile T1616 Call Control

Escobar can initiate phone calls.[1]
Mobile T1533 Data from Local System

Escobar can collect sensitive information, such as Google Authenticator codes.[1]
Mobile T1420 File and Directory Discovery

Escobar can access external storage.[1]
Mobile T1630 .001 Indicator Removal on Host: Uninstall Malicious Application

Escobar can uninstall itself and other applications.[1]
Mobile T1417 .001 Input Capture: Keylogging

Escobar can collect application keylogs.[1]
.002 Input Capture: GUI Input Capture

Escobar can collect credentials using phishing overlays.[1]
Mobile T1430 Location Tracking

Escobar can request coarse and fine location permissions to track the device.[1]
Mobile T1461 Lockscreen Bypass

Escobar can request the DISABLE_KEYGUARD permission to disable the device lock screen password.[1]
Mobile T1636 .002 Protected User Data: Call Log

Escobar can access the device’s call log.[1]
.004 Protected User Data: SMS Messages

Escobar can read SMS messages on the device.[1]
Mobile T1663 Remote Access Software

Escobar can use VNC to remotely control an infected device.[1]
Mobile T1582 SMS Control

Escobar can modify, send, and delete SMS messages.[1]
Mobile T1409 Stored Application Data

Escobar can request the GET_ACCOUNTS permission to get the list of accounts on the device, and can collect media files.[1]
Mobile T1512 Video Capture

Escobar can take photos using the device cameras.[1]

References

  1. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.