Escobar malware targets 8 banking and financial apps, steals 2FA codes

Escobar malware targets 8 banking and financial apps, steals 2FA codes

A new variant of the infamous mobile banking malware Escobar has hit eight popular banking and financial apps in India, with the list of targeted apps now exceeding 190 globally. Dubbed Escobar-C by security researchers, this variant injects malicious code into any app that uses Google’s Firebase Cloud Messaging (FCM) service as its SMS provider, then forwards all incoming SMS messages from banks to the malware’s control server. This allows Escobar-C to intercept and steal 2FA authentication codes used by many banks for their ATM and mobile banking applications.

Escobar Malware Steals User Data from Eight Banking Apps

A new type of malware called Escobar has been found to steal user data from eight banking and financial apps. It is called Escobar because it bears a strong resemblance to the late Colombian drug lord Pablo Escobar. The data is stolen through a Trojan app that allows it to extract two-factor authentication codes.

What is Banking Malware?

The term ‘Banking Malware’ refers to a type of malicious software designed to extract information such as login credentials or authentication tokens. Typically, this information is then used by the attacker to authenticate in the place of the victim on other applications that depend on this information. Examples include things like an online banking app, but can also be found on shopping sites like Amazon. For instance, they may set up an account with your credit card number to make purchases without your knowledge. A recent study estimates that over 60% of mobile malware has at least one element of banking functionality.

 Common Mobile Bank Trojans

The most popular banks to be targeted by mobile Trojans are the Android-based systems. One of the most common is the Sinowal Trojan. Sinowal allows its creators to capture login credentials through social engineering or through fake bank websites. Another common banking trojan found in this area is Asacub. The owners of this trojan can remotely steal files from your phone, including screenshots of where you type in your PINs. It also can change your balance within a certain range to avoid detection.

A Look at the Details of Escobar Malware

What is Escobar Malware? Escobar is a type of mobile malware that targets 190 different banking and financial apps. It is a family of malicious software (malware) that has been targeting the Apple iOS operating system for iPhones for the past several years. There are about 12 known variants in the family, including one named after Colombian drug lord Pablo Escobar who was arrested in 1993. One variant called Pablo steals two-factor authentication (2FA) credentials used to protect bank accounts. Other variants target customers of banks such as Bank of America, HSBC, TD Bank, ING Direct, Wells Fargo and Citibank. The malware steal logins and passwords to be used by criminals to commit fraud or identity theft on a victim’s behalf.

How Can You Protect Yourself?

While we don’t know the specifics of how this new form of attack operates, here are a few things you can do to help protect yourself:

  1. Enable two-factor authentication on all your accounts that support it.
  2. Don’t reuse passwords for any online account.
  3. Use an authenticator app instead of SMS messages for second factor authentication for your cell phone, like Authy or Google Authenticator (you should be able to download these from the app store).

How to Check if Your Account Is Affected by Mobile Malware

Mobile malware is not a new phenomenon. The Escoba (ESCOBAR) mobile malware was first discovered in 2015. Back then it targeted Android users only, but now it’s expanded to target 190 banks and financial apps including: Wells Fargo Bank, USAA Bank & US Bank’s MobileBanking app.


To protect yourself from the Escobar malware, it is important to keep all of your software up-to-date and always use a strong password to log in. Make sure you use a different password for each account so if one of them is compromised the others are not too.