thetechxp is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

Android virus ‘Escobar’ collects 2FA tokens and hijacks phones


Pablo Escobar-inspired Android spyware grabs your credentials before taking over your device.

'Escobar' Android malware steals your 2FA codes — and takes over your phone
image credits: androidpolice

Escobar, an Android banking Trojan disguised as a McAfee antivirus programme, grabs one-time tokens from Google Authenticator, once again making the case that you should never install applications from outside of the official Google Play store unless you absolutely have to.

Access the VNC remote-desktop capability to totally take over a phone, as well as steal SMS text messages and media files, make phone calls, monitor your position, use the phone’s camera and uninstall programmes.


As a result of this feature, whomever is operating this software is able to get access to your online bank accounts and other internet services without your permission.

Escobar virus and how to avoid it

For Android banking Trojans like Escobar, here’s how you can protect yourself.

  • Install and make use of an antivirus programme for Android
  • Do not download programmes from other sources. However, some app marketplaces are even worse than Google Play.
  • Two-factor authentication should be used to protect your accounts. You should utilise a USB security key if that is an option for your account.
  • Use a password management programme that can recognise the difference between a legitimate login screen and a phoney one.
  • Before you install an app, be sure you know what rights it requires.
  • Be wary of your phone’s extremely high data or battery use.
  • The Google Play Protect feature should be switched on at all times.
  • Authy or Microsoft Authenticator may be used as other authenticator applications.

Sadly, there aren’t any Escobar cocaine hippos on this list.

Several weeks ago, MalwareHunterTeam discovered a bogus McAfee app with the Android package name “com.escobar.pablo,” which is clearly a reference to a notorious Colombian drug lord who was assassinated in 1993.


The content-delivery network CDN of Discord, from which the programme was downloaded, has become a key vector for malware.

As soon as the malicious software was discovered, researchers at Cyble discovered it was a development of the Aberebot banking Trojan, which was initially noticed in mid-2021 and “targeted users of 140+ banks and financial institutions across 18 countries.”

But there were a few new gimmicks in this new version.

New functionalities have been discovered in this Aberebot variation, such as collecting data from Google Authenticator and gaining control of compromised device displays via VNC, etc,” researchers stated in a blog post.


A guide for those who suspect they have been exposed

Cyble suggests some severe actions if you fear your device has been attacked by a financial Trojan like Escobar.

  • Your media files should be backed up, but not your applications.
  • Turn off your mobile data and Wi-Fi connection if possible.
  • You may factory reset your phone by removing the SIM card.
  • Attempt to recover as much of your personal data as you can from your Google account by checking your bank account for any strange activity.

Renting out malware

“His Excellency” placed an offer on a Russian criminal forum on Feb. 14 to rent a beta version of “Escobar” for $3,000 per month. Cyble and Bleeping Computer, which first reported this news, spotted this and reported on it.

The virus would be packaged and distributed by the “renters,” who would be responsible for doing so. The bogus McAfee app seems to have been added to the Discord CDN by at least one user. McAfee’s Android antivirus software is a fake version of the genuine thing.


As with many banking trojans, Escobar aims to steal login credentials by imitating genuine banking programmes and overlaying them with a lookalike interface.

Hence, when a Bank of America Android app is launched, a banking Trojan will wait until the Bank of America login screen is shown before launching its own fake version.

Your login and password are really sent to a remote command-and-control server as soon as you enter them into the banking Trojan. Even if you use a strong password manager, it won’t identify the bogus login page and put in the credentials automatically.


Escobar seems to go straight to the source of authenticator-app 2FA codes, as opposed to other banking Trojans that attempt to do the same. On command, it launches Google Authenticator and captures the screen in an attempt to capture the codes before their 30-second lifespans are finished.

When Escobar’s criminals get control of the phone, they may do anything from logging into accounts with previously obtained credentials to verifying the logins using Google Authenticator.


Leave a Comment