Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.[1]

ID: S0522
Associated Software: Marcher
Platforms: Android
Version: 1.0
Created: 29 October 2020
Last Modified: 07 December 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Exobot can access the device’s contact list.[1]

Mobile T1418 Application Discovery

Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.[1]

Mobile T1402 Broadcast Receivers

Exobot has registered to receive the BOOT_COMPLETED broadcast intent.[1]

Mobile T1412 Capture SMS Messages

Exobot can intercept SMS messages.[1]

Mobile T1476 Deliver Malicious App via Other Means

Exobot has been spread using direct download links.[1]

Mobile T1401 Device Administrator Permissions

Exobot can request device administrator permissions.[1]

Mobile T1446 Device Lockout

Exobot can lock the device with a password and permanently disable the screen.[1]

Mobile T1417 Input Capture

Exobot has used web injects to capture users’ credentials.[1]

Mobile T1411 Input Prompt

Exobot can show phishing popups when a targeted application is running.[1]

Mobile T1444 Masquerade as Legitimate Application

Exobot has used names like WhatsApp and Netflix.[1]

Mobile T1604 Proxy Through Victim

Exobot can open a SOCKS proxy connection through the compromised device.[1]

Mobile T1582 SMS Control

Exobot can forward SMS messages.[1]

Mobile T1437 Standard Application Layer Protocol

Exobot has used HTTPS for C2 communication.[1]

Mobile T1426 System Information Discovery

Exobot can obtain the device’s country and carrier name.[1]

Mobile T1422 System Network Configuration Discovery

Exobot can obtain the device’s IMEI, phone number, and IP address.[1]