Exobot Android Malware spreading via Google Play Store [source: threatfabric]
by CIRT Team
Exobot Actor (nicknamed “android”) started a new Android bot rental service named Exobot v1 in June 2016. The malware in use was built to be able to target many banks with so called overlay attacks (also known as injects). SfyLabs’ team analyzed and researched Exobot v1, which is covered in detail in our blog.
After a year of successful campaign of Exobot v1, in May 2017 the actor “android” decided to create a new version of the malware almost from scratch, dubbed Exobot v2. At some point the actor even boldly sold Exobot via a public website (“exoandroidbot.net” was online for more than half a year), which is very uncommon for banking Trojans.
The new bot capabilities of Exobot v2 where covered in another SfyLabs blog. What made version 2 special was the bot features. Those features are by far better and comprehensive than any other Android banking Trojans such as Mazar 3.0, Lokibot v2 or Anubis 2 (alias Bankbot v2), which resulted in their success. The actor did not only focus on obfuscation of the bot code to lower its detection rate (FUD), but also on features that could bypass fraud detection mechanisms, such as the use of a SOCKS5 proxy on victim device to actually perform the transaction from the victim’s device (we have even seen requests from underground buyers for an embedded VNC module). Going this direction is giving android bankers Trojans RAT-capabilities, which we forecasted earlier in 2017. We expect that Android bankers will continue to develop stable RAT-capabilities the coming year since the source of the strongest Android banker is now in the hands of many new actors!
The recent changes
Early December 2017 the actor behind Exobot, nicknamed “android”, advertised in an underground forum that he would sell the source code of his malware to a limited number of buyers before quitting the business.
According to this same statement, he became very rich. Such a statement in the malware world generally means one of the following two things: Either the actor notices the surge of interest from law enforcement and/or competitors fighting back their market share, either his business has indeed been very fruitful and is ratio risk/gain is no longer of interest.
Taking a glance at the research we have made into the Exobot malware since its first campaign, early 2016 (when the malware was still known under the name of Marcher), we believe his statement is truth as it has been a widely spread and fully functional malware.
Sales of a Trojan’s source code usually results in the arrival on the market of new malware versions with additional capabilities and new threat actors experimenting with different means of malware distribution (snowball effect). This was seen with the malwares Slempo (sold in 2015 and leaked in 2016) and Bankbot v1 (leaked during 2016).
Less than a month after the actor started selling the Exobot source code, new campaigns in Austria, England, Netherlands and Turkey where discovered. During our investigation, we were surprised to discover that the bot count (number of infected devices) in Turkey was three times higher than those of botnets targeting other countries.
We made the link between most of the new Exobot botnets and Smishing (SMS phishing) or hybrid (desktop/mobile) phishing campaigns, but had to get hands on specific malicious apps used to infect Turkish Android users, to explain the high number of victims.
For more, click here.