Escobar is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.[1]

ID: S1092
Platforms: Android
Contributors: Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 28 September 2023
Last Modified: 11 October 2023

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

Escobar can monitor a device’s notifications.[1]

Mobile T1429 Audio Capture

Escobar can record audio from the device’s microphone.[1]

Mobile T1616 Call Control

Escobar can initiate phone calls.[1]

Mobile T1533 Data from Local System

Escobar can collect sensitive information, such as Google Authenticator codes.[1]

Mobile T1420 File and Directory Discovery

Escobar can access external storage.[1]

Mobile T1630 .001 Indicator Removal on Host: Uninstall Malicious Application

Escobar can uninstall itself and other applications.[1]

Mobile T1417 .001 Input Capture: Keylogging

Escobar can collect application keylogs.[1]

.002 Input Capture: GUI Input Capture

Escobar can collect credentials using phishing overlays.[1]

Mobile T1430 Location Tracking

Escobar can request coarse and fine location permissions to track the device.[1]

Mobile T1461 Lockscreen Bypass

Escobar can request the DISABLE_KEYGUARD permission to disable the device lock screen password.[1]

Mobile T1636 .002 Protected User Data: Call Log

Escobar can access the device’s call log.[1]

.004 Protected User Data: SMS Messages

Escobar can read SMS messages on the device.[1]

Mobile T1663 Remote Access Software

Escobar can use VNC to remotely control an infected device.[1]

Mobile T1582 SMS Control

Escobar can modify, send, and delete SMS messages.[1]

Mobile T1409 Stored Application Data

Escobar can request the GET_ACCOUNTS permission to get the list of accounts on the device, and can collect media files.[1]

Mobile T1512 Video Capture

Escobar can take photos using the device cameras.[1]