Exobot (Trojan) – Malware

Overview

The Exobot threat actor represents a notorious figure in the world of mobile malware, specifically targeting Android devices with a focus on banking information theft and financial fraud. Emerging in 2016, Exobot quickly gained notoriety as a banking Trojan capable of stealing sensitive financial data and bypassing mobile security mechanisms, such as two-factor authentication (2FA). Initially, Exobot was sold on underground forums and Darknet marketplaces, allowing cybercriminals to rent or purchase the malware for various durations. This accessibility enabled a wide range of attackers to exploit Exobot’s capabilities, leading to its rapid spread and adaptation by multiple threat actors.

The Exobot threat actor’s operations have been marked by a series of sophisticated features designed to facilitate large-scale attacks on mobile banking applications. One of the Trojan’s most significant capabilities is its ability to intercept SMS messages and web inject code into visited websites, mimicking legitimate banking pages to capture sensitive user credentials. This functionality made Exobot particularly effective in compromising financial institutions and gathering data for fraudulent activities. Additionally, Exobot’s capacity to disable device features and lock/unlock the device further increased its utility, giving the attacker greater control over the victim’s device.

Targets

Individuals

How they operate

At the core of Exobot’s functionality is its ability to perform SMS interception and web injection attacks, which enable it to steal sensitive user data. Upon infection, the Trojan can hijack incoming and outgoing text messages, intercepting those related to financial transactions. This feature allows Exobot to capture authentication codes for two-factor authentication (2FA) used by banks, thereby bypassing critical security measures designed to protect online banking accounts. The Trojan also uses web injects to alter the content of web pages displayed to users. When victims access their bank’s website or other financial portals, Exobot injects malicious code into these pages to display fake login screens and capture user credentials, such as usernames, passwords, and credit card information.

Exobot is notable for its ability to control the infected device without requiring root access, a feature that significantly enhances its potential for wide-scale distribution. Once installed, Exobot can lock or unlock the device, disable certain functionalities such as the screen or phone use, and even send mass SMS messages to all contacts in the victim’s phonebook. These capabilities make it difficult for the victim to detect or stop the Trojan, as it can carry out these actions in the background while remaining relatively undetected. Additionally, Exobot can hide its presence on the device by using techniques such as disguising its icon or running in stealth mode, making it more difficult for users to identify and remove the malware.

One of the key components that makes Exobot a persistent threat is its use of a Command and Control (C2) server for remote operations. The malware communicates with the C2 server to receive updates, new instructions, and additional malicious payloads. This server acts as the central hub for managing the infected devices, allowing the attacker to control and monitor the compromised device in real-time. The C2 infrastructure is constantly evolving to avoid detection and shutdown by law enforcement and cybersecurity experts. Exobot’s C2 communication is often encrypted to ensure that the malware’s actions remain concealed, making it harder for defenders to trace and neutralize the threat.

Since its inception, Exobot has gone through several iterations, with each new version introducing additional features and improving its evasion tactics. The ExobotCompact variant, for example, emerged as a lighter, more efficient version of the original malware, maintaining much of the core functionality but with improved performance and lower resource usage. This version was designed to be stealthier and more adaptable to modern Android devices, avoiding detection by security software and enhancing the Trojan’s ability to infect a larger number of victims. The creators of Exobot have also made the malware available as a Malware-as-a-Service, allowing other cybercriminals to rent or purchase the malware for a variety of attacks, expanding its reach and impact.

The source code leak in 2018 further amplified Exobot’s presence in the cybercriminal underground. With the code now publicly available, many threat actors began creating their own variants of the Trojan, incorporating their own features and using it for various malicious purposes. While this shift created competition for the original Exobot developer, it also prompted them to continue refining and updating the malware. New versions of Exobot continue to surface, incorporating advanced anti-analysis and anti-detection mechanisms, such as the use of encrypted communication channels and polymorphic payloads that change their appearance to evade signature-based detection tools.

In conclusion, Exobot operates through a combination of advanced techniques that make it a formidable threat to Android users, especially those involved in mobile banking. Its ability to intercept SMS messages, inject malicious code into web pages, and remotely control infected devices allows cybercriminals to carry out large-scale fraud and data theft operations. As the threat landscape continues to evolve, so too does Exobot, with new versions and variants emerging regularly to outpace detection and evade security measures. This makes it crucial for users to remain vigilant and for cybersecurity experts to stay ahead of the evolving tactics employed by Exobot and other similar malware.

References:

• Exo/Exobot
• Exobot Android Malware spreading via Google Play Store
• ExoBot