S1092: Escobar
Analyst context for executives and security teams
Escobar matters because it is an Android banking trojan associated in ATT&CK with credential and data collection behaviors on mobile devices, including keylogging, GUI input capture, notification access, SMS and call data access, location tracking, audio/video capture, and remote access software. For leaders, the practical issue is not just one malware name: it is whether mobile devices used for banking, workforce authentication, communications, or executive activity are governed and monitored well enough to spot risky permissions and sensitive-data access.
Executive priority
Treat this as a mobile identity and fraud-readiness concern. The supplied ATT&CK context links Escobar to behaviors that can expose credentials, one-time codes, SMS messages, call logs, local files, and device location on Android. Security leaders should ask whether managed and unmanaged Android devices have enforceable app controls, permission visibility, incident response procedures for compromised phones, and audit evidence showing how mobile MFA and sensitive business communications are protected.
Technical view
Escobar is listed as Android malware, described by MITRE as a banking trojan first detected in March 2021 and believed to be a variant of AbereBot. No official ATT&CK detection text is provided, so SOC and IR teams should validate coverage behaviorally against the linked techniques: stored application data access, keylogging, GUI input capture, file and directory discovery, audio/video capture, location tracking, lockscreen bypass context, notification access, local data collection, SMS and call control, uninstall behavior, call log and SMS collection, and remote access software use. Prioritize review of Android permissions and events involving accessibility services, notification access, SMS/call capabilities, microphone/camera/location access, suspicious app install or uninstall activity, and unexpected remote access applications.
Likely telemetry
- Android MDM/EMM inventory for installed applications, package names, install source, version, and uninstall events
- Application permission state, including SMS, call, notification, accessibility, microphone, camera, location, and storage-related permissions
- Android security and device posture data, including root/jailbreak indicators where available
- Mobile threat defense or endpoint telemetry for suspicious overlays, keyboard behavior, accessibility abuse, and remote control activity
- Notification, SMS, call log, and call-control permission usage where collection is legally and technically available
Detection direction
- Because MITRE provides no official detection guidance for this object, validate detections against the related ATT&CK behaviors rather than the malware name alone.
- Tune for high-risk permission combinations on Android, especially apps requesting accessibility plus notification, SMS, call, storage, microphone, camera, or location capabilities without a clear business justification.
- Look for user-facing deception patterns consistent with keylogging or GUI input capture, while accounting for legitimate keyboards, accessibility tools, banking apps, and enterprise support tools as false-positive sources.
- Review unexpected remote access software on mobile devices, especially when paired with sensitive permissions or banking/authentication use cases.
- Correlate mobile alerts with identity events such as failed logins, unusual MFA prompts, password resets, or one-time-code use; do not assume mobile telemetry alone will prove compromise.
Mitigation priorities
- Start with mobile asset governance: know which Android devices are allowed to access business systems and whether they are managed.
- Enforce app installation and permission controls for devices that access sensitive applications, prioritizing restrictions around accessibility, notification, SMS, call, storage, microphone, camera, and location permissions.
- Reduce dependence on easily intercepted mobile-delivered secrets where feasible, especially for high-risk users and financial or administrative workflows.
- Maintain mobile incident response playbooks covering device isolation, evidence preservation, account protection, MFA reset, and review of SMS/call/notification exposure.
- Provide user guidance focused on suspicious permission prompts, third-party keyboards, overlays, remote access apps, and unexpected requests to make an app the default SMS or phone handler.
Analyst notes and limits
The decision value is in the relationship set: Escobar is mapped to many Android-relevant data capture, credential capture, surveillance, SMS/call, and remote access behaviors. That breadth makes it useful for assessing whether mobile security, identity protection, and SOC workflows can handle a compromised phone scenario, especially where mobile devices are used for authentication or sensitive communications.
ATT&CK does not provide tactics or official detection text for this object in the supplied fields. The description is brief and cites a public report; local detection and risk assessment require environment-specific Android management, mobile security, identity, and network evidence. This summary does not assert current activity, attribution, customer exposure, or guaranteed detection coverage.
Escobar
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.004 | SMS Messages Sub-technique | |
| Mobile | T1512 | Video Capture | |
| Mobile | T1616 | Call Control | |
| Mobile | T1461 | Lockscreen Bypass | |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1409 | Stored Application Data | |
| Mobile | T1420 | File and Directory Discovery | |
| Mobile | T1636.002 | Call Log Sub-technique | |
| Mobile | T1517 | Access Notifications | |
| Mobile | T1582 | SMS Control | |
| Mobile | T1663 | Remote Access Software | |
| Mobile | T1533 | Data from Local System | |
| Mobile | T1417.001 | Keylogging Sub-technique | |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | |
| Mobile | T1429 | Audio Capture | |
| Mobile | T1417.002 | GUI Input Capture Sub-technique |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cfd0926bef0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bleeipng Computer Escobar
B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.
Open source URL -
[2]
mitre-attack S1092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.