{
	"id": "4e5ec2e9-5802-4022-8895-ec0f1bf39d2a",
	"created_at": "2026-04-06T00:12:35.287599Z",
	"updated_at": "2026-04-10T13:12:01.103377Z",
	"deleted_at": null,
	"sha1_hash": "80aa154393490e574fbddb505c1544d9882cc320",
	"title": "Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1224493,
	"plain_text": "Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code\r\nBy Catalin Cimpanu\r\nPublished: 2018-01-17 · Archived: 2026-04-05 18:35:59 UTC\r\nThings are about to get a lot worse for Android users after the source code of a highly advanced Android banking trojan has\r\nbeen sold to different parties on a well-known hacking forum.\r\nThe trojan at the center of this worrisome news is called Exobot, an Android malware strain that first appeared on the\r\nmalware scene in June 2016.\r\nJust like most of today's professionally coded desktop or mobile banking trojans, Exobot has always been rented to\r\ncustomers on a monthly basis.\r\nhttps://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nCustomers never have access to the trojan's source code, but they can use configuration panels provided by the Exobot\r\nauthor to compile malicious apps with per-client custom settings. Renters then have to distribute these apps to victims, each\r\nusing its own methods and means.\r\nExobot has been one of the most active Android mobile trojans in the past two years, together with BankBot, GM Bot,\r\nMazar Bot, or Red Alert.\r\nInitially, some security firms called it Marcher, but eventually everybody started calling it by the name its author had given\r\nit. Business was good as initial profits spurred Exobot's author to create Exobot v2 by late 2016.\r\nBleeping Computer covered Exobot v2's rise when the trojan was heavily advertised on the Dark Web, hacking forums,\r\nXMPP spam, and even on the public Internet.\r\nBased on the evidence this reporter gathered in past conversations with numerous security researchers, Exobot looked like a\r\nlucrative business for its author and was used to target users in many countries around the world.\r\nExobot author puts banking trojan up for sale\r\nBut out of the blue, the Exobot author —going by the generic pseudonym of \"android\"— made a major move, which in\r\nhindsight might cause a lot of problems for users in the upcoming future.\r\nThe Exobot author decided to shut down the Exobot rental scheme and sell the source code to a small number of clients.\r\nBelow are two images of the Exobot's author sale ad, courtesy of Cengiz Han Sahin, a mobile security researcher at\r\nSfyLabs.\r\n\"According to his statement, he became very rich,\" Sahin says. \"Such a statement in the malware world generally means one\r\nof the following two things: Either the actor notices the surge of interest from law enforcement and/or competitors fighting\r\nback their market share, either his business has indeed been very fruitful and its ratio of risk/gain is no longer of interest.\"\r\nMany fear Exobot source code will become public\r\nBut despite the reasons, the sale of Exobot will have deep repercussions on the Android malware scene, even if not right\r\naway.\r\nThis reporter has covered many such incidents in the past. Based on this reporter's experience, and Sahin's own predictions,\r\nwhich he penned in a blog here, it's only a matter of time until this source code gets leaked online for everybody to enjoy.\r\nSuch sales almost never remain secret, and at one point or another, a dissatisfied customer will leak the source code when\r\nExobot's author won't provide the support the buyer needs. This is how many families of desktop-based banking trojans have\r\nbeen leaked in the past decade.\r\nOnce it gets leaked, the Exobot code will follow the same fate of Slempo, BankBot, and the GM Bot Android banking\r\ntrojans, and will be tweaked and remastered into hundreds of offshoot trojans, reducing the costs and technical skills needed\r\nto enter the mobile malware scene.\r\nhttps://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/\r\nPage 3 of 4\n\nExobot sale leads to new malware campaigns\r\nBut before low-skilled actors get their hands on leaked versions of Exobot, the trojan's new customers are already putting it\r\nto good use.\r\n\"Less than a month after the actor started selling the Exobot source code, new campaigns in Austria, England, Netherlands,\r\nand Turkey where discovered,\" Sahin says. Of all, Turkey is the most affected by these campaigns, with over 4,400 devices\r\nin total, based on Sahin's investigation.\r\nThis rise in malicious Exobot apps was caused by a few private sales of the Exobot source code. We don't need to imagine\r\nthe scale of Exobot attacks if the source code leaks, mainly because we already have an example in BankBot.\r\nLeaked online in late 2016, this trojan has been at the heart of a recent wave of malicious apps spread via the Google Play\r\nStore, in what appears to be a losing battle for Google engineers, who are having a harder and harder time detecting the\r\ninitial apps that spread these threats.\r\nThe fragmented Android OS market, the annoying mobile carriers that never deliver patches in time, and the Google Play\r\nStore team that can't seem to keep up with malware authors puts Android users at a serious disadvantage when it comes to\r\nmobile malware. The only methods that can safeguard most users are mobile antivirus solutions and the use of common\r\nsense not to install apps from untrusted sources or not to install Play Store apps that require unnecessary permissions.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/\r\nhttps://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/"
	],
	"report_names": [
		"exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775434355,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80aa154393490e574fbddb505c1544d9882cc320.pdf",
		"text": "https://archive.orkl.eu/80aa154393490e574fbddb505c1544d9882cc320.txt",
		"img": "https://archive.orkl.eu/80aa154393490e574fbddb505c1544d9882cc320.jpg"
	}
}