2 min

The ‘Escobar’ banking trojan is available for 2,750 euros a month on the dark web. Cybercriminals are professionalizing with revenue models, marketing and infrastructure.

One or more cybercriminals distribute the ‘Escobar’ banking trojan under the guise of legitimate Android apps. On March 3, security researcher MalwareHunterTeam found the trojan in the wild. ‘Escobar’ pretended to be a McAfee app to infect devices and wiretap bank details.

The trojan did not appear anywhere else. Although its spread is likely limited to a minimum, the incident points to a trend.


Security website BleepingComputer found an ad for ‘Escobar’ on the dark web. A Russian-speaking provider has been renting the trojan for 2,750 euros per month since the end of February. Interested parties can try out the trojan for three days. Unsatisfied customers get their money back. ‘Escobar’ is more than a trojan: ‘Escobar’ is a service.

The same phenomenon can be found in the ransomware market. Malware is developed, offered and deployed by ransomware-as-a-service groups. Cybercriminals go beyond selling code: infrastructure and support are included.

‘Escobar’ is no exception. The service takes care of almost everything. Login data, SMS messages, call history and 2FA codes are collected. Data is sent to a C2 server, ready for abuse.


Security researcher Cyble analyzed ‘Escobar’ and conclude that the trojan was developed by the same author(s) as ‘Aberebot,’ a banking trojan spotted in 2021. Cyble considers ‘Escobar’ to be an update of ‘Aberebot’. The trojans work similarly. Unlike ‘Aberebot’, ‘Escobar’ is able to mimic more than 100 modern banking environments in 18 countries.


As mentioned earlier, the spread of ‘Escobar’ is likely limited. There’s no reason to wipe all of your organization’s Android devices. However, precaution is recommended. Make sure to set policies that ban all app files outside official app stores. Keep in mind that trojans are sometimes offered in official app stores. Banning all non-necessary apps is the most preventive measure, but may come at the expense of productivity.

Tip: Banking trojan Xenomorph infects 50,000 devices via Google Play