The Escobar banking trojan steals victims’ Google Authenticator MFA codes to target banking institutions, bypassing the double factor authentication protecting accounts. Here’s how it works and how to defend yourself.

The main objective is to steal information from victims’ bank accounts, steal what is available and even make unauthorized transactions.

Escobar has new features, including the ability to steal Google Authenticator MFA (multi-factor authentication) codes. But that’s not the only feature that makes it particularly insidious.

In fact the malware is able to

  • capture users’ credentials when they interact with bank sites and apps;
  • intercept authorization codes and 2FA sent via SMS;
  • and even capture codes generated by the Google Authenticator app.

The new feature in the malware-as-a-service Escobar includes, in addition, the ability to take control of infected Android devices, via:

  • VNC, an option to record audio;
  • the ability to take pictures;
  • to reach of apps in the crosshairs for credential theft.
  • get account lists, disable keylock, make calls, access precise device location.

The advice is not to download apps outside the official marketplaces and never click on links or attachments in emails or messages without first checking where they lead.