Skip to content

S0522 Exobot

Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.2

Item Value
ID S0522
Associated Names
Version 1.0
Created 29 October 2020
Last Modified 07 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions Exobot can request device administrator permissions.2
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Exobot has used HTTPS for C2 communication.2
mobile T1642 Endpoint Denial of Service Exobot can lock the device with a password and permanently disable the screen.2
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers Exobot has registered to receive the BOOT_COMPLETED broadcast intent.2
mobile T1417 Input Capture -
mobile T1417.001 Keylogging Exobot has used web injects to capture users’ credentials.2
mobile T1417.002 GUI Input Capture Exobot can show phishing popups when a targeted application is running.2
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Exobot can access the device’s contact list.2
mobile T1636.004 SMS Messages Exobot can intercept SMS messages.2
mobile T1604 Proxy Through Victim Exobot can open a SOCKS proxy connection through the compromised device.2
mobile T1582 SMS Control Exobot can forward SMS messages.2
mobile T1418 Software Discovery -
mobile T1418.001 Security Software Discovery Exobot can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.2
mobile T1426 System Information Discovery Exobot can obtain the device’s country and carrier name.2
mobile T1422 System Network Configuration Discovery Exobot can obtain the device’s IMEI, phone number, and IP address.2