Article Lead Image

Golden Sikorka/

What is Exobot, the frightening new banking app trojan?

Your banking app could be stealing information.


Ben Dickson


Here’s something creepy that might happen to you: You turn on your phone and fire up your banking app. While you think you’re entering your login information safely, an invisible, malicious app steals your username and password and sends them to a cybercriminal who will use it to steal money from your account.

Known as banking trojan, this kind of malware has become a growing threat as mobile banking and payments have risen in popularity. Researchers at cybersecurity firm WatchGuard Technologies have made a thorough analysis of Exobot, a nasty Android malware, and their findings prove just how advanced the threat of banking trojans has become.

What is Exobot?

Exobot is a sophisticated botnet package for Android devices. Botnets are malware that give their authors remote access to infected devices. Botnets take orders from a command and control server and are usually used in distributed denial of service (DDoS) attacks.

In the case of Exobot, however, the malware’s main functionality is to steal sensitive information from banking apps and financial services. Once Exobot infects a device, it uses “overlay attacks” to steal banking information. In an overlay attack, the attacker places an invisible window on top of the user interface of the targeted app and intercepts whatever the user types or taps. So, when the user is typing their username and password in the login page, they are in reality typing in Exobot’s invisible layer. The malware then sends the information to the attacker’s server.

The reason they call it a “trojan” is that, like the famous Greek myth Trojan Horse, the malware is hidden inside an application that looks legitimate. For instance, it might be a banking app in an unofficial Android app repository.

Exobot dates to 2016. Back then, the author provided it as a rented service. In 2018, Exobot’s source code leaked publicly. This means anyone with the technical know-how can download the source code, modify it, and spin their own version of the malware.

“What makes Exobot’s source code significant, even to this day, is that it provides an established fundamental structure for newer malware to build off of,” says Emil Hozan, security threat analyst at WatchGuard. “Instead of starting from scratch, malware authors can use this code to build upon. We’ve seen this happen countless times with other malware source code leaks like Zeus and, more recently, Mirai.” (Mirai is the botnet malware that shut down the internet across large swaths of the U.S. in 2016.)


Exobot: malware-as-a-service business

The general perception is that banking trojans and other malware are run by hackers with sophisticated programming and technical skills. But Exobot lowers the barrier for non-technical criminals to get involved in the banking trojan business.

The WatchGuard analysis shows that the malware has been designed to provide a control panel and user interfaces that “customers” without technical know-how can sign up to use.

The Exobot server software, the component that gathers the stolen data from infected devices, supports multi-tenancy. This means that a single installation can support multiple customers and stand as a malware-as-a-service (Maas) business for its owner. Using it will be as easy as running a CMS platform, such as WordPress.

“One of the specific elements of Exobot that is very effective is compartmentalizing features for ‘customers’ while maintaining full backend access for authors,” Hozan says. “This allows full control of everything. While limiting customer access to their respective rental time, authors can make adjustments without affecting customer-facing frontends.” 

Exobot’s sophistication also makes it extremely difficult for network analysis tools to detect and block its malicious traffic. “As opposed to having a dedicated server with an IP address that can be blocked in its entirety, the use of hosting providers as possible frontend proxies does indicate more advanced malware behavior,” Hozan says.

Exobot: a global threat

One of the challenges of targeting the electronic payments industry is that the landscape varies across different regions. Exobot has been designed to adapt itself to habits and trends in various countries. The malware is especially targeted at PayPal, which is the most popular online payment system around the world, but also adapts to dozens of regional financial services and banking apps.

Exobot’s authors have also armed the malware with the capability of disabling major mobile antivirus solutions such as BitDefender and Avira.

“In general, the more prominent global apps like PayPal and BitDefender would be a greater threat, followed by region-specific services,” Hozan says. “Each region has their own ‘U.S. Bank’ or relatable financial service, and the same goes for antivirus products. In other words, the greatest threat would be the service with the most subscribers.”

WatchGuard’s researchers have also spotted at least one other rentable botnet on dark web markets, the anonymous underbelly of the internet, that looks very similar to Exobot. This could indicate that other hard-to-catch and dangerous banking trojans are emerging.


How to protect yourself against Exobot and other banking trojans

Authors of malware like Exobot usually catch their targets by distributing their malware outside official app stores or infecting them through phishing scams. The main way to protect yourself against mobile banking trojans is to only download apps from official market places such as Google Play and Apple App Store.

Both Google and Apple have thorough processes to make sure the apps published in their marketplaces do not contain malicious code and suspicious behavior. Sideloaded apps—applications that have been downloaded and installed outside of main app stores—offer no such guarantees.

Yet not even the official app stores offer absolute protection, and malicious apps often slip past their defenses. WatchGuard’s security experts recommend enabling multi-factor authentication (MFA) on sensitive applications. MFA requires users to complete an extra step when logging in to their accounts, such as running a fingerprint scan, entering a one-time password, or connecting a physical key. MFA makes it extremely difficult for hackers to break into online accounts, even if they steal the username and password through a trojan virus.

Also worth noting is that Exobot and similar malware need administrative access to perform functions such as disabling antivirus apps and manipulating the user interfaces of targeted apps. “The tell-tale sign of what to look out for are outrageous permission requests for a particular app. Users shouldn’t give admin access to just any app, such as a game for example,” Hozan says. “While there are apps that rightfully and legitimately require admin access to run, any app that does request this should be scrutinized.”

The Daily Dot