Beklager, indholdet på denne side er ikke tilgængeligt på dit valgte sprog.
Startside Exobot

Exobot

Also known as: Exo Android Bot, Marcher, ExobotCompact, Octo, Coper

Category: Malware

Type: Trojan, banking trojan, remote access trojan, malicious mobile apps

Platform: Android

Variants: Exobot v1, Exobot v2

Damage potential: Data theft, privacy invasion, remote access and device control, SMS hijacking, device locking, and possible financial loss

Overview

Exobot is a banking trojan that first appeared on the scene in 2016, targeting Android devices. It’s based on an earlier malware strain known as Marcher. Exobot mainly uses overlay attacks, where it displays fake login screens over legitimate banking apps to harvest user credentials. It can also intercept and manipulate SMS messages, making it easier for attackers to bypass two-factor authentication. Some advanced versions go even further by making it look like fraudulent transactions are coming directly from the victim’s phone, which makes the activity look legitimate for bank fraud detection systems.

Initially sold on hacking forums, the dark web, and even a dedicated public website, Exobot quickly gained popularity among cybercriminals due to its effectiveness and accessibility. It was rented out to attackers as malware as a service (MaaS), complete with tools for managing infected devices (bots). In 2018, its source code was leaked, which led to the creation of a whole family of malware, including ExobotCompact, Coper, and Octo — each with improved obfuscation techniques.

Possible symptoms

If your Android device is infected with Exobot or one of its newer versions, like Octo or Coper, you may notice some unusual behavior:

  • Unexpected pop-ups asking for permissions, especially access to accessibility services or requests to make an app a device administrator.
  • New apps or services running on your device that you don’t remember installing.
  • Disappearing SMS messages.
  • Unusual battery drain or data usage, even when you’re not actively using your phone.
  • The screen turning black or dimming unexpectedly.
  • Background taps, gestures, or scrolling without your interaction.
  • Unauthorized financial transactions.

Sources of the infection

Exobot and its related malware variants often infect Android devices through:

  • Phishing attacks via SMS or email containing links to malicious apps disguised as popular applications.
  • Applications distributed through third-party app stores or malicious websites.
  • Fake applications on official app stores, posing as legitimate utility apps.

Protection

To protect yourself against Exobot or similar phone malware:

  • Install applications only from trusted sources, such as the official Google Play Store.
  • Verify app publishers and check permissions before installation.
  • Regularly update your device's operating system and applications to patch known vulnerabilities.
  • Be cautious of unsolicited messages requesting you to download or install applications.
  • Avoid granting unnecessary permissions to applications, especially accessibility services and device administrator privileges.
  • Use the DNS filtering feature — Threat Protection, available on the NordVPN mobile app, to filter malicious traffic and prevent you from visiting dangerous domains.

Exobot removal 

Removing Exobot from an infected Android device can be challenging due to its persistence mechanisms. If you suspect your device is infected with Exobot:

  • Turn off Wi-Fi and mobile data and remove the SIM card (some versions can turn data back on).
  • Try to uninstall the malicious app. If that fails, do a factory reset.
  • Back up your photos and files and perform a device reset.
  • Use a trusted mobile antivirus to scan for leftover malware.
  • In case of a fraudulent transaction, immediately contact your bank.
  • Change all passwords for accounts accessed via the infected device, especially financial services.