Exobot

Exobot is a banking Trojan that compromises Android devices and collects bank account-related credentials from the users. Currently, its spreading methods emphasize SMS messages with fraudulent application downloads, although its availability to the public makes a diverse range of strategies and campaigns highly possible. Users should be careful about installing applications that request excessive permissions and let compatible anti-malware products remove Exobot infections as soon as possible.

A Free-For-All Botnet of Bank Heists

The rapid reproduction of Ransom-as-a-Service campaigns and new releases of Hidden Tear show just how critical accessibility can be for criminals and threatening software. Exobot, a botnet-based banking Trojan that has had its source code leaked since 2018, is at the forefront of showing up availability and user-friendliness make for more attacks against, not just PC owners, but also smartphone ones. This Android-compatible Trojan is available to threat actors without requiring any programming experience – although some threat actors are at work on updating it with premium modules enthusiastically.

Exobot's campaigns abuse mislabeled downloads over SMS messages for installing the banking Trojan frequently, with the only tip-off to the victim being the unusual breadth of permissions that the fake banking application requests. It, then, conducts activities related to collecting information and giving the attacker a backdoor into the phone. Some of the particularly high-priority attacks that malware analysts warn against in most Exobot builds include:

• The Trojan compromises any SMS-reliant online banking activity by targeting out of band authentication protocols via message forwarding.
• It also generates an overlay with a custom interface for different types of banking sites and services, enabling the program's automatic capturing of credentials like passwords and blocking the user's access to the real bank.
• Besides its anti-banking functions, Exobot intercepts all SMS messages in general and can upload the resultant data to the threat actor.
• Some of Exobot's payload supports non-spyware attacks, as well, such as locking the user's screen and implementing password protection without the user's consent.

All of these properties and more are available to the threat actor via a no-programming-required control panel that provides tracking features comparable to that of AdSense or a server admin tool.

Spotting Trojans before Been Part of a Poverty Network

There are no distinct limits to how Exobot might spread, but some of its campaigns are using vectors for infections that malware experts can confirm in their entirety. One campaign uses SMS and MMS messaging with the disguise of an application like WhatsApp or Runtastic. A second one is targeting adult movie sites and forcing them into serving fake Adobe Flash plugins and erotica-themed applications. Both cases require the victim's consent for the installation and include suspicious permissions demands.

While malware experts recommend against installing applications from unsafe sources, even legitimate ones like the Google Play store, upon occasion, have breaches (such as the PreAMo Trojan clicker, at tens of millions of installations). Users should refuse permissions for any applications that they aren't sure of being safe, and depend on anti-malware services for identifying disguised Trojans. Some versions of this banking Trojan employ various anti-AV features such as auto-closing security applications, and users should update their anti-malware products for deleting Exobot accurately and safely beforehand, if possible.

Like any 'good' Trojan, Exobot's payload is a bundle of security and privacy problems that aren't repairable easily. Keep your phone safe, and you'll never have to worry about a banking Trojan interfering with your account, screen or AV services.