The Aberebot Android trojan has returned with new name and features. According to BleepingComputer, the banking trojan or virus can now steal Google Authenticator multi-factor authentication codes. Other new features/capabilities include taking control of the infected Android devices using VNC, recording audio, and taking photos, while also expanding the set of targeted apps for credential theft.
BleepingComputer claims that using KELA’s cyber-intelligence DARKBEAST platform, it found a forum post on a Russian-speaking hacking forum where the Aberebot developer promotes its new version under the name ‘Escobar Bot Android Banking Trojan’. The findings reportedly have later been corroborated by researchers at MalwareHunter, McAfee and Cyble.
How Aberebot/Escobar trojan can harm Android smartphone users
Like most banking trojans, Escobar shows overlay login forms to hijack user interactions with online banking apps and websites. The main goal of the virus is to steal enough information to allow the cybercriminals to take over victims’ bank accounts and perform unauthorized financial transactions.
The cyber criminals have reportedly expanded the set of targeted banks and financial institutions to 190 entities from 18 countries in the latest version. The report does not share their names. The virus requests 25 permissions, of these 15 are abused for malicious purposes. Examples include accessibility, audio record, read SMS, read/ write storage, get account list, disabling the keylock, making calls, and accessing precise device location.
“Everything that the malware collects is uploaded to the C2 server, including SMS call logs, key logs, notifications, and Google Authenticator codes,” says the report. This is said to be enough to help criminals overcome two-factor authentication (2FA) defense when assuming control of online banking accounts. The 2FA codes generally come via SMS or are stored and rotated in tools like Google’s Authenticator as it is considered safer due to not being susceptible to SIM swap attacks. However, Google Authenticator codes are still not protected from malware infiltrating the userspace.
How Android users can stay safe
In general, Android users can minimize chances of getting their smartphones infected by following these important tips:
* Not installing APKs outside of Google Play Store
* Ensuring that Google Play Protect is enabled on their device
* When installing a new app from any source, pay attention to unusual requests for permissions and monitor the app’s battery and network consumption stats for the first few days to identify any suspicious activity.