S0522: Exobot
Analyst context for executives and security teams
Exobot is an Android banking malware entry in ATT&CK, described as primarily targeting financial institutions in Germany, Austria, and France. Its mapped behaviors matter because they combine credential/input capture, SMS and contact access, device and security-tool discovery, persistence through Android broadcast receivers, device administrator abuse, web-based communications, and proxying through the victim device. For leaders, the practical issue is not only malware removal; it is whether mobile devices used for banking, workforce access, or customer-facing operations are governed well enough to prevent or detect high-risk permission abuse and credential theft.
Executive priority
Prioritize this as a mobile identity and fraud-resilience concern where Android devices interact with financial services, privileged business accounts, or regulated data. The key executive questions are: do we know which Android devices and apps can access SMS, contacts, accessibility/keyboard functions, or device administrator privileges; can we revoke or contain risky apps quickly; and can incident response correlate mobile indicators with account takeover or suspicious banking activity? This object also supports audit and compliance discussions around mobile device governance, app permission control, and evidence of monitoring for credential and SMS abuse.
Technical view
SOC and IR teams should validate coverage around the Android behaviors linked to Exobot: Keylogging, GUI Input Capture, Security Software Discovery, System/Internet Connection Discovery, System Information Discovery, Web Protocols, SMS Control, Proxy Through Victim, Broadcast Receivers, Device Administrator Permissions, Contact List and SMS Message collection, Endpoint Denial of Service, and masquerading as legitimate apps. Because ATT&CK provides no official detection text for Exobot, detection should be built from relationship-driven behavior clusters rather than a single signature: suspicious Android app identity or location, high-risk permission requests, device admin activation, SMS send/receive/default-handler behavior, contact/SMS content access, persistence via broadcast receivers, and outbound web traffic or proxy-like behavior from mobile devices.
Likely telemetry
- Android MDM/UEM inventory: installed apps, package names, app names/icons, install sources, versions, and device ownership status
- Android permission and role state: SMS permissions, contacts access, accessibility/keyboard authorization where available, default SMS handler, and device administrator status
- Mobile threat defense or endpoint telemetry for suspicious app behavior, broadcast receiver registration, persistence events, and attempted security software discovery
- Network telemetry from mobile devices, especially HTTP/HTTPS destinations, unusual web-protocol communications, and proxy-like traffic patterns
- Identity, banking, or application logs that can be correlated with mobile device activity, especially suspicious credential prompts or account access after mobile risk events
Detection direction
- Validate that Android fleet telemetry can identify risky combinations of behaviors, not just known malware names: credential/input capture plus SMS access, contacts access, device admin, persistence, and web communications.
- Tune allowlists carefully for legitimate keyboards, accessibility tools, MDM agents, SMS applications, and enterprise security products to reduce false positives while preserving alerting on unusual combinations or newly installed apps.
- Look for masquerading indicators supported by ATT&CK relationships, such as apps matching legitimate names, icons, package-like naming, or locations in ways that obscure identity.
- Correlate mobile alerts with account activity. Exobot is described as banking malware, so mobile credential/SMS events should inform fraud, IAM, and incident response triage when financial or privileged accounts are involved.
- Account for blind spots: unmanaged BYOD Android devices, limited permission visibility, encrypted web traffic, and environments that only monitor corporate networks may miss key evidence.
Mitigation priorities
- Establish or validate Android device governance through MDM/UEM for devices that access sensitive business, financial, or identity systems.
- Restrict or require approval for high-risk permissions and roles such as SMS control, contacts access, third-party keyboard/accessibility capabilities, and device administrator privileges where business needs allow.
- Use app control and mobile threat defense processes to review suspicious app names, icons, package identities, install sources, and behavior combinations.
- Prepare IR playbooks for mobile banking-malware scenarios: isolate or unenroll affected devices, revoke risky permissions, remove suspicious apps, rotate potentially exposed credentials, and review account activity tied to the device.
- Educate users to treat unexpected credential prompts, requests for SMS/default handler/device administrator access, or third-party keyboard authorization as high-risk events.
Analyst notes and limits
The strongest defensive value comes from treating Exobot as a mapped Android behavior cluster rather than relying on the malware family name alone. The relationships highlight identity theft, SMS abuse, persistence, discovery, communications, proxying, and device control behaviors that should drive mobile detection engineering and incident response validation.
ATT&CK supplies a brief description, Android as the platform, one external Threat Fabric reference, and no official detection guidance for this object. Tactics are not specified in the supplied object. Local control decisions require organization-specific evidence about Android device management, app inventory, permissions, mobile network visibility, and whether affected devices interact with financial or privileged systems.
Exobot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | |
| Mobile | T1582 | SMS Control | |
| Mobile | T1418.001 | Security Software Discovery Sub-technique | |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | |
| Mobile | T1437.001 | Web Protocols Sub-technique | |
| Mobile | T1636.004 | SMS Messages Sub-technique | |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | |
| Mobile | T1422 | System Network Configuration Discovery | |
| Mobile | T1417.001 | Keylogging Sub-technique | |
| Mobile | T1642 | Endpoint Denial of Service | |
| Mobile | T1636.003 | Contact List Sub-technique | |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | |
| Mobile | T1426 | System Information Discovery | |
| Mobile | T1604 | Proxy Through Victim |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a74bd2d8999b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Threat Fabric Exobot
Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
Open source URL -
[2]
mitre-attack S0522Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.