S0522: Exobot
Analyst context for executives and security teams
Exobot is an Android banking malware entry in ATT&CK, described as primarily targeting financial institutions in Germany, Austria, and France. Its mapped behaviors matter because they combine credential/input capture, SMS and contact access, device and security-tool discovery, persistence through Android broadcast receivers, device administrator abuse, web-based communications, and proxying through the victim device. For leaders, the practical issue is not only malware removal; it is whether mobile devices used for banking, workforce access, or customer-facing operations are governed well enough to prevent or detect high-risk permission abuse and credential theft.
Executive priority
Prioritize this as a mobile identity and fraud-resilience concern where Android devices interact with financial services, privileged business accounts, or regulated data. The key executive questions are: do we know which Android devices and apps can access SMS, contacts, accessibility/keyboard functions, or device administrator privileges; can we revoke or contain risky apps quickly; and can incident response correlate mobile indicators with account takeover or suspicious banking activity? This object also supports audit and compliance discussions around mobile device governance, app permission control, and evidence of monitoring for credential and SMS abuse.
Technical view
SOC and IR teams should validate coverage around the Android behaviors linked to Exobot: Keylogging, GUI Input Capture, Security Software Discovery, System/Internet Connection Discovery, System Information Discovery, Web Protocols, SMS Control, Proxy Through Victim, Broadcast Receivers, Device Administrator Permissions, Contact List and SMS Message collection, Endpoint Denial of Service, and masquerading as legitimate apps. Because ATT&CK provides no official detection text for Exobot, detection should be built from relationship-driven behavior clusters rather than a single signature: suspicious Android app identity or location, high-risk permission requests, device admin activation, SMS send/receive/default-handler behavior, contact/SMS content access, persistence via broadcast receivers, and outbound web traffic or proxy-like behavior from mobile devices.
Likely telemetry
- Android MDM/UEM inventory: installed apps, package names, app names/icons, install sources, versions, and device ownership status
- Android permission and role state: SMS permissions, contacts access, accessibility/keyboard authorization where available, default SMS handler, and device administrator status
- Mobile threat defense or endpoint telemetry for suspicious app behavior, broadcast receiver registration, persistence events, and attempted security software discovery
- Network telemetry from mobile devices, especially HTTP/HTTPS destinations, unusual web-protocol communications, and proxy-like traffic patterns
- Identity, banking, or application logs that can be correlated with mobile device activity, especially suspicious credential prompts or account access after mobile risk events
Detection direction
- Validate that Android fleet telemetry can identify risky combinations of behaviors, not just known malware names: credential/input capture plus SMS access, contacts access, device admin, persistence, and web communications.
- Tune allowlists carefully for legitimate keyboards, accessibility tools, MDM agents, SMS applications, and enterprise security products to reduce false positives while preserving alerting on unusual combinations or newly installed apps.
- Look for masquerading indicators supported by ATT&CK relationships, such as apps matching legitimate names, icons, package-like naming, or locations in ways that obscure identity.
- Correlate mobile alerts with account activity. Exobot is described as banking malware, so mobile credential/SMS events should inform fraud, IAM, and incident response triage when financial or privileged accounts are involved.
- Account for blind spots: unmanaged BYOD Android devices, limited permission visibility, encrypted web traffic, and environments that only monitor corporate networks may miss key evidence.
Mitigation priorities
- Establish or validate Android device governance through MDM/UEM for devices that access sensitive business, financial, or identity systems.
- Restrict or require approval for high-risk permissions and roles such as SMS control, contacts access, third-party keyboard/accessibility capabilities, and device administrator privileges where business needs allow.
- Use app control and mobile threat defense processes to review suspicious app names, icons, package identities, install sources, and behavior combinations.
- Prepare IR playbooks for mobile banking-malware scenarios: isolate or unenroll affected devices, revoke risky permissions, remove suspicious apps, rotate potentially exposed credentials, and review account activity tied to the device.
- Educate users to treat unexpected credential prompts, requests for SMS/default handler/device administrator access, or third-party keyboard authorization as high-risk events.
Analyst notes and limits
The strongest defensive value comes from treating Exobot as a mapped Android behavior cluster rather than relying on the malware family name alone. The relationships highlight identity theft, SMS abuse, persistence, discovery, communications, proxying, and device control behaviors that should drive mobile detection engineering and incident response validation.
ATT&CK supplies a brief description, Android as the platform, one external Threat Fabric reference, and no official detection guidance for this object. Tactics are not specified in the supplied object. Local control decisions require organization-specific evidence about Android device management, app inventory, permissions, mobile network visibility, and whether affected devices interact with financial or privileged systems.
Exobot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | Exobot has registered to receive the `BOOT_COMPLETED` broadcast intent.CitationThreat Fabric Exobot |
| Mobile | T1582 | SMS Control | Exobot can forward SMS messages.CitationThreat Fabric Exobot |
| Mobile | T1418.001 | Security Software Discovery Sub-technique | Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.CitationThreat Fabric Exobot |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Exobot has used names like WhatsApp and Netflix.CitationThreat Fabric Exobot |
| Mobile | T1437.001 | Web Protocols Sub-technique | Exobot has used HTTPS for C2 communication.CitationThreat Fabric Exobot |
| Mobile | T1636.004 | SMS Messages Sub-technique | Exobot can intercept SMS messages.CitationThreat Fabric Exobot |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Exobot can obtain the device’s IMEI, phone number, and IP address.CitationThreat Fabric Exobot |
| Mobile | T1422 | System Network Configuration Discovery | Exobot can obtain the device’s IMEI, phone number, and IP address.CitationThreat Fabric Exobot |
| Mobile | T1417.001 | Keylogging Sub-technique | Exobot has used web injects to capture users’ credentials.CitationThreat Fabric Exobot |
| Mobile | T1642 | Endpoint Denial of Service | Exobot can lock the device with a password and permanently disable the screen.CitationThreat Fabric Exobot |
| Mobile | T1636.003 | Contact List Sub-technique | Exobot can access the device’s contact list.CitationThreat Fabric Exobot |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Exobot can show phishing popups when a targeted application is running.CitationThreat Fabric Exobot |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | Exobot can request device administrator permissions.CitationThreat Fabric Exobot |
| Mobile | T1426 | System Information Discovery | Exobot can obtain the device’s country and carrier name.CitationThreat Fabric Exobot |
| Mobile | T1604 | Proxy Through Victim | Exobot can open a SOCKS proxy connection through the compromised device.CitationThreat Fabric Exobot |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a74bd2d8999b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Threat Fabric Exobot
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
Open source URL -
[2]
mitre-attack S0522Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.