{
	"id": "52ba4300-e5c9-4476-9d0e-b1b9f6fecd9a",
	"created_at": "2026-04-06T03:35:40.640946Z",
	"updated_at": "2026-04-10T03:34:47.593048Z",
	"deleted_at": null,
	"sha1_hash": "b30470b6b6494095ab9064d0d2ae2c364ffcdddf",
	"title": "Exobot (Marcher) - Android banking Trojan on the rise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 725574,
	"plain_text": "Exobot (Marcher) - Android banking Trojan on the rise\r\nPublished: 2024-10-01 · Archived: 2026-04-06 03:21:03 UTC\r\nIntroduction\r\nThe past months many different banking Trojans for the Android platform have received media attention. One of\r\nthese, called Marcher (aka Exobot), seems to be especially active with different samples appearing on a daily\r\nbasis. This malware variant also appears to be technically superior to many other banking Trojans being able to\r\nuse its overlay attack even on Android 6, which has technical improvements compared to the previous Android\r\nversions to prevent such attacks.\r\nThe main infection vector is a phishing attack using SMS/MMS. The social engineering message includes a link\r\nthat leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix. On installation, the\r\napp requests the user to provide SMS storage access and high Android privileges such as Device Admin. Other\r\ninfection vectors include pornographic websites serving apps called Adobe Flash or YouPorn.\r\nThe Marcher banking malware uses two main attack vectors. The first attack vector is to compromise the out of\r\nband authentication for online banks that rely on SMS using SMS forwarding. The second attack vector, the\r\noverlay attack, shows a customized phishing window whenever a targeted application is started on the device. The\r\noverlay window is often indistinguishable from the expected screen (such as a login screen for a banking app) and\r\nis used to steal the victim’s banking credentials. The target list and bank specific fake login pages can be\r\ndynamically updated via their C2 panel (dashboard back-end) which significantly increases the adaptability and\r\nscalability of this attack. In addition, this type of Android banking malware does not require the device to be\r\nrooted or the app to have any specific Android permission (besides android.permission.INTERNET to retrieve the\r\noverlay contents and send its captured data).\r\nThe many changes we see in the way the attacks are performed show that attackers are heavily experimenting to\r\nfind the best way of infecting a mobile device and abusing existing functionality to perform successful phishing\r\nattacks. The next stage in device infection could be the use of exploit kits and malvertising, which would be quite\r\neffective due the many Android vulnerabilities and consumers with unpatched devices. In addition future Trojans\r\ncould leverage root exploits to make them almost impossible to remove and give malicious actors the ability to\r\nhook generic low level API’s that are used by all (banking) applications, just like the attack vector as has been\r\nused on the desktop platform for years.\r\nTechnical Analysis\r\nPermissions\r\nMarcher’s APK size is fairly small (only 683KB for sample eb8f02fc30ec49e4af1560e54b53d1a7), much smaller\r\nthan most legitimate apps and other popular mobile malware samples. This sample only includes Dalvik bytecode\r\nand resources without any native libraries. The package name (vyn.hhsdzgvoexobmkygffzwuewrbikzud) and its\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 1 of 19\n\nmany activities and services have randomized names, probably to make it a bit more difficult to detect the package\r\nusing blacklisting. The set of permissions required by Marcher according to the manifest is as follows:\r\n∗ android.permission.CHANGE_NETWORK_STATE (change network connectivity state)\r\n∗ android.permission.SEND_SMS (send SMS messages)\r\n∗ android.permission.USES_POLICY_FORCE_LOCK (lock the device)\r\n∗ android.permission.RECEIVE_BOOT_COMPLETED (start malware when device boots)\r\n∗ android.permission.INTERNET (communicate with the internet)\r\n∗ android.permission.VIBRATE (control the vibrator)\r\n∗ android.permission.ACCESS_WIFI_STATE (view information about the status of Wi-Fi)\r\n∗ android.permission.WRITE_SMS (edit/delete SMS)\r\n∗ android.permission.ACCESS_NETWORK_STATE (view the status of all networks)\r\n∗ android.permission.WAKE_LOCK (prevent the phone from going to sleep)\r\n∗ android.permission.GET_TASKS (retrieve running applications)\r\n∗ android.permission.CALL_PHONE (call phone numbers)\r\n∗ android.permission.WRITE_SETTINGS (read/write global system settings)\r\n∗ android.permission.RECEIVE_SMS (intercept SMS messages)\r\n∗ android.permission.READ_PHONE_STATE (read phone details of the device such as phone number and serial\r\nnumber)\r\n∗ android.permission.CHANGE_WIFI_STATE (connect to and disconnect from Wi-Fi networks and make\r\nchanges to configured networks)\r\n∗ android.permission.READ_CONTACTS (read all contact data)\r\n* android.permission.READ_SMS (read SMS messages)\r\nObviously a fairly significant list of permissions of which many are suspicious, especially when combined.\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 2 of 19\n\nRuntastic sample permission prompt\r\nChecking foreground app\r\nMarcher is one of the few Android banking Trojans to use the AndroidProcesses library, which enables the\r\napplication to obtain the name of the Android package that is currently running in the foreground. This library is\r\nused because it uses the only (publicly known) way to retrieve this information on Android 6 (using the\r\nprocess OOM score read from the /proc directory). When the current app on the foreground matches with an app\r\ntargeted by the malware, the Trojan will show the corresponding phishing overlay, making the user think it is the\r\napp that was just started.\r\nDynamic overlays\r\nWhen victims open up a targeted app, Marcher smoothly displays an overlay, a customized WebView, looks in its\r\napplication preferences (main_prefs.xml) and decides which specified URL is needed for the targeted app. The\r\ncomplete list of apps can be seen below. The phishing pages shown in the overlay use Ajax calls to communicate\r\nwith a PHP back-end which stores all user input. The C2 backend url looks like this:\r\nhttps://evilhost/c2folder/njs2/?fields[]. There is no way to access the original app again even if victims terminate\r\nthe overlay process and reopen app, until credit card (name, number, expiry date, security code) and/or bank\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 3 of 19\n\ninformation (PIN, VBV passcode, date of birth, etc.) are filled in and verified. The information is then stored in\r\nlocal app database as well as sent to the backend.\r\nOverlays for phishing Google Play, Facebook and ING-DiBa\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 4 of 19\n\nOverlay for Postbank Finanzassistent\r\nTargeted banking apps * at.bawag.mbanking (BAWAG P.S.K.)\r\n* at.easybank.mbanking (easybank)\r\n* at.spardat.netbanking   (ErsteBank/Sparkasse netbanking)\r\n* at.volksbank.volksbankmobile (Volksbank Banking)\r\n* com.bankaustria.android.olb (Bank Austria MobileBanking)\r\n* com.db.mm.deutschebank (Meine Bank)\r\n* com.ing.diba.mbbr2 (ING-DiBa Banking + Brokerage)\r\n* com.isis_papyrus.raiffeisen_pay_eyewdg (Raiffeisen ELBA)\r\n* com.starfinanz.smob.android.sfinanzstatus (Sparkasse)\r\n* de.comdirect.android (comdirect mobile App)\r\n* de.commerzbanking.mobil (Banking)\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 5 of 19\n\n* de.consorsbank (Consorsbank)\r\n* de.dkb.portalapp (DKB-Banking)\r\n* de.fiducia.smartphone.android.banking.vr (VR-Banking)\r\n* de.postbank.finanzassistent (Postbank Finanzassistent)\r\n* mobile.santander.de (Santander MobileBanking)\r\n* com.barclays.android.barclaysmobilebanking (Barclays Mobile Banking)\r\n* com.grppl.android.shell.BOS (Bank of Scotland Mobile Bank)\r\n* com.grppl.android.shell.CMBlloydsTSB73 (Lloyds Bank Mobile Banking)\r\n* com.grppl.android.shell.halifax (Halifax Mobile Banking app)\r\n* com.htsu.hsbcpersonalbanking (HSBC Mobile Banking)\r\n* com.rbs.mobile.android.natwest (NatWest)\r\n* com.rbs.mobile.android.rbs (Royal Bank, RBS)\r\n* com.rbs.mobile.android.ubr (Ulster Bank ROI)\r\n* uk.co.santander.santanderUK (Personal Banking)\r\n* uk.co.tsb.mobilebank (TSB Mobile Banking)\r\n* com.bbl.mobilebanking (Bualuang mBanking)\r\n* com.kasikornbank.retail.kmerchant (K-PowerPay (mPOS))\r\n* com.scb.phone (SCB EASY)\r\n* ktbcs.netbank (KTB netbank)\r\n* ar.com.santander.rio.mbanking (Santander Río)\r\n* br.com.bb.android (Banco do Brasil)\r\n* cl.santander.smartphone (Banca Personas)\r\n* co.com.bbva.mb (BBVA Colombia)\r\n* com.bancodebogota.bancamovil (Banco de Bogotá)\r\n* com.bancomer.mbanking (Bancomer móvil)\r\n* com.bapro.movil (Banco Provincia)\r\n* com.bbva.nxt_argentina (BBVA Francés | Banca Móvil AR)\r\n* com.bbva.nxt_peru   (BBVA Continental - Banca Móvil)\r\n* com.bcp.bank.bcp (Banca Móvil BCP)\r\n* com.citibanamex.banamexmobile (Citibanamex Móvil)\r\n* com.grupoavalav1.bancamovil (AV Villas App)\r\n* com.itau (Banco Itaú)\r\n* com.mosync.app_Banco_Galicia (Banco Galicia)\r\n* com.santander.app (Santander Brasil)\r\n* com.todo1.davivienda.mobileapp (Davivienda Móvil)\r\n* com.todo1.mobile (Bancolombia App Personas)\r\n* mx.bancosantander.supermovil (Supermóvil)\r\n* org.banelco (Banelco MÓVIL)\r\n* org.microemu.android.model.common.VTUserApplicationLINKMB   (Link Celular)\r\n* pe.com.interbank.mobilebanking (Interbank APP)\r\n* se.accumulate.me.core.androidclient.csb (Bancoomeva Móvil)\r\n* se.accumulate.me.core.androidclient.occidente   (Banco de Occidente B.P)\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 6 of 19\n\n* au.com.bankwest.mobile (Bankwest)\r\n* au.com.ingdirect.android (ING DIRECT Australia Banking)\r\n* au.com.nab.mobile (NAB)\r\n* com.commbank.netbank (CommBank)\r\n* org.banksa.bank (BankSA Mobile Banking)\r\n* org.stgeorge.bank   (St.George Mobile Banking)\r\n* org.westpac.bank (Westpac Mobile Banking)\r\n* com.chase.sig.android   (Chase Mobile)\r\n* com.citi.citimobile (Citi Mobile®)\r\n* com.schwab.mobile   (Schwab Mobile)\r\n* com.wf.wellsfargomobile (Wells Fargo Mobile)\r\n* de.ing_diba.kontostand (ING-DiBa Kontostand)\r\n* de.adesso.mobile.android.gadfints   (Online-Filiale+)\r\n* com.starfinanz.mobile.android.dkbpushtan (DKB-pushTAN)\r\n* com.starfinanz.smob.android.sbanking (Sparkasse+)\r\n* com.kasikorn.retail.mbanking.wap (K-Mobile Banking PLUS)\r\n* com.scb.tablet (SCB EASY for Tablet)\r\n* com.SCBBizNet   (SCB Business Net)\r\n* com.scbup2me (SCB UP2ME)\r\n* th.co.ktam.ktampvd (KTAM PVD)\r\n* com.ktb.bizgrowing (KTB Biz Growing)\r\n* com.ing.mobile (ING Bankieren)\r\n* com.caisseepargne.android.mobilebanking (Banque)\r\n* fr.lcl.android.customerarea (Mes Comptes - LCL pour mobile)\r\n* net.bnpparibas.mescomptes   (Mes Comptes BNP Paribas)\r\n* com.cic_prod.bad (CIC)\r\n* com.fullsix.android.labanquepostale.accountaccess (La Banque Postale)\r\n* fr.banquepopulaire.cyberplus (Cyberplus)\r\n* fr.creditagricole.androidapp (Ma Banque)\r\n* mobi.societegenerale.mobile.lappli (L’Appli Société Générale)\r\n* pt.santandertotta.mobileparticulares (Santander Totta)\r\n* wit.android.bcpBankingApp.millennium (Millenniumbcp)\r\n* com.IngDirectAndroid (ING Direct France)\r\n* fr.bred.fr (BRED)\r\n* fr.lcl.android.entreprise   (Pro \u0026 Entreprises LCL)\r\n* mobi.societegenerale.mobile.lapplipro   (L’Appli Pro Société Générale)\r\n* com.axabanque.fr (AXA Banque France)\r\n* com.fpe.comptenickel (Mon Compte-Nickel)\r\n* com.carrefour.bank (Carrefour Banque)\r\n* com.bnpp.easybanking (Easy Banking)\r\n* com.paypal.android.p2pmobile (PayPal)\r\n* com.westernunion.moneytransferr3app.eu (Western Union International)\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 7 of 19\n\n* fr.banquepopulaire.cyberplus.pro (Cyberplus PRO)\r\n* com.akbank.android.apps.akbank_direkt (Akbank Direkt)\r\n* com.akbank.softotp (Akbank Direkt Şifreci)\r\n* com.teb (CEPTETEB)\r\n* com.finansbank.mobile.cepsube   (QNB Finansbank Cep Şubesi)\r\n* com.garanti.cepbank (Garanti CepBank)\r\n* biz.mobinex.android.apps.cep_sifrematik (Garanti Cep Şifrematik)\r\n* com.garanti.cepsubesi   (Garanti Mobile Banking)\r\n* com.tmobtech.halkbank   (Halkbank Mobil)\r\n* com.ingbanktr.ingmobil (ING Mobil)\r\n* com.pozitron.iscep (İşCep)\r\n* com.intertech.mobilemoneytransfer.activity (fastPay)\r\n* com.tmob.denizbank (MobilDeniz)\r\n* tr.com.sekerbilisim.mbank   (ŞEKER MOBİL ŞUBE)\r\n* com.vakifbank.mobile (VakıfBank Mobil Bankacılık)\r\n* com.ykb.android.mobilonay (Yapı Kredi Kurumsal Mobil Şube)\r\n* com.ykb.androidtablet   (Yapı Kredi Mobil Şube)\r\n* com.ykb.android (Yapı Kredi Mobile)\r\n* com.ziraat.ziraatmobil (Ziraat Mobil)\r\n* com.akbank.android.apps.akbank_direkt_tablet (Akbank Direkt Tablet)\r\n* com.zentity.sbank.csobsk (SmartBanking SK)\r\n* cz.csob.smartbanking (ČSOB SmartBanking)\r\nOther targeted apps (credit card overlay) * com.instagram.android   (Instagram)\r\n* com.android.vending (Play Store)\r\n* com.facebook.katana (Facebook)\r\n* com.skype.raider (Skype)\r\n* com.viber.voip (Viber)\r\n* com.whatsapp (WhatsApp Messenger)\r\n* com.google.android.gm   (Gmail)\r\n* com.amazon.mShop.android.shopping   (Amazon Shopping)\r\nAntivirus “evasion”\r\nIn addition to the list of apps that are targeted for phishing the app contains a list of antivirus applications for\r\nwhich it prevents removal of the malware. The technique used is quite simpe: look for any AV app in the list and if\r\nit is running, the malware will force the phone back to home screen. Even the AV program detects the malware, it\r\nwill still wait and ask for permission from users before starting the removal process, but because the user can’t\r\ngive the permission, the malware will not be removed.\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 8 of 19\n\node snippet showing the malware forcing the device back to the home screen\r\nThe following antivirus apps are targeted with this technique: * com.clean.booster.security.battery.memory\r\n(Booster Cleaner)\r\n* com.qihoo.security.lite (360 Security Lite)\r\n* com.piriform.ccleaner (CCleaner)\r\n* com.antivirus.tablet (Tablet AntiVirus FREE 2017)\r\n* com.dianxinos.optimizer.duplay (DU Speed Booster \u0026 Cleaner)\r\n* com.womboidsystems.antivirus.security.android (Antivirus Go Next for Android™)\r\n* com.trustlook.antivirus (Free Antivirus \u0026 Security)\r\n* com.avast.android.mobilesecurity (Mobile Security \u0026 Antivirus)\r\n* com.cleanmaster.mguard (Clean Master (Boost\u0026Antivirus))\r\n* com.qihoo.security (360 Security - Antivirus)\r\n* com.symantec.mobilesecurity (Norton Security and Antivirus)\r\n* com.cleanmaster.security (CM Security AppLock AntiVirus)\r\n* com.duapps.antivirus (DU Antivirus - Lock app, video)\r\n* com.antivirus (AVG AntiVirus FREE for Android)\r\n* com.cleanmaster.boost (CM Speed Booster丨Cache Cleaner)\r\n* com.zrgiu.antivirus (Antivirus Free - Virus Cleaner)\r\n* com.kms.free (Kaspersky Antivirus \u0026 Security)\r\n* com.nqmobile.antivirus20 (NQ Mobile Security \u0026 Antivirus)\r\n* com.cleanmaster.mguard (Clean Master (Boost\u0026Antivirus))\r\n* com.drweb (Anti-virus Dr.Web Light)\r\n* com.bitdefender.antivirus (Bitdefender Antivirus Free)\r\n* com.avira.android (Avira Antivirus Security)\r\n* com.ikarus.mobile.security (IKARUS mobile.security)\r\nSMS harvesting\r\nAt startup, Marcher will ask for read/write permissions for both SMS and MMS messages if it doesn’t have the\r\npermissions already. Then, whenever the client received command ‘load_sms’ from the C2 server, it will grab all\r\nSMS messages from the device and send them back to the backend. In the same way, this method also is used to\r\ninvoke ‘processIncomingMessages’ to intercept incoming messages.\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 9 of 19\n\nSmartly using permissions\r\nWhen the malware first runs, it will ask for device administrative rights, even when users deny or kill the process\r\nit will come up again, until they accept the request. Having this permission enables malware to lock and mute the\r\nphone, even reset the password and make a permanent phishing WebView. This malicious activity works similar to\r\nransomware, but no files are encrypted.\r\nDevice admin “nagging” screen\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 10 of 19\n\nCode snippet showing code to reset the password or lock the device\r\nDifferent botnets\r\nWe have researched various Marcher actors the last 6 months. Many of them targeting financials in Germany,\r\nFrance, UK and the United States. The latest samples are mainly targeting banks from Germany, Austria and\r\nFrance. Based on their own Trojan user manual we know that there are at least 9 Marcher actors with their own\r\nbotnets supported by the original creators of the Trojan with new modules and targeted banks/webinjects (HTML\r\noverlay files) every week. The following botnets where observed by our team: * flexdeonblake\r\n* angelkelly\r\n* MUCHTHENWERESTO\r\n* balls51\r\n* CHECKPIECEUNTIL\r\n* crystalknight\r\n* jadafire\r\n* sinnamonlove\r\n* CONTAINSURE\r\nThe details in this blog are based on an assessment of only one Marcher actor/botnet. Based on statistics of the\r\nbackend we know that their campaign has successfully infected 5696 German and 2198 French mobile devices\r\nover total of 11049 affected mobile devices. While assessing their C2 server, we found that most infected devices\r\nare running Android 6.0.1. The C2 server at the time of investigation contained at least 1300 credit card numbers\r\nand other bank information (username/password + SMS tan).\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 11 of 19\n\nBot amount by country\r\nBot amount by Android version\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 12 of 19\n\nC2 panel features\r\nBesides information obtained through phishing, the C2 server collects the following information from infected\r\ndevices: * IMEI\r\n* phone number\r\n* IP address\r\n* carrier name\r\n* SMS messages\r\n* contact phone numbers\r\n* installed packages\r\nIt can also instruct devices to send an SMS message, lock the screen showing a webpage and run USSD\r\ncommands for call-forwarding. The panel also has a feature to control bot via SMS messages using commands\r\nlike: * rent\u0026\u0026\u0026 (intercept and forward SMS)\r\n* ussd\u0026\u0026\u0026 (call USSD code)\r\n* sent\u0026\u0026\u0026 (send SMS from bot (e.g: sent\u0026\u0026\u0026+31000000#sms_body))\r\n* killStart (lock phone with password, disable screen permanently)\r\n* killStop (undo the killStart changes)\r\nOther options the panel has are chaning the backend URL and creating, enabling and disabling web injects which\r\nallows for a lot of flexibility concerning the targeted apps and displayed screens. The phishing screens are hosted\r\non the C2 server and are loaded from there at the time the screen is displayed.\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 13 of 19\n\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 14 of 19\n\nMarcher documentation\r\nThe source code of the Marcher C2 server indicate that they successfully implemented a SOCKS feature for bots\r\nand are selling this as a separate module. Socks enables the attackers to perform malicious transactions using the\r\nvictim’s device and IP. This feature could be enabled to circumvent detection of financial institutions that relies on\r\ndevice binding and the IP address of the customer’s Android device.\r\nSource code snippet showing SOCKS functionality\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 15 of 19\n\nreplace: 1111 - \u003e last_ip(ip of bot) $SOCKS_status = \"Offline\";\nif ($row[\"SOCKS_status\"]) {\n $SOCKS_status = $row[\"SOCKS_status\"];\n if (isset($_SERVER[\"HTTP_X_FORWARDED_HOST\"])) $SOCKS_status = str_replace(\"\", $_SERVER[\"HTTP_X_FORWARDED_HOS\n else$SOCKS_status = str_replace(\"\", $_SERVER[\"REMOTE_ADDR\"], $SOCKS_status);\n}\nif (!isset($client_cfg['mod_SOCKS']) || !$client_cfg['mod_SOCKS']) {\n $data = \"\n\n## SOCKS: **disabled**\n\nreturn $data;\n}\nSamples\nBelow are the most recent Marcher samples we have come across. There are however many more out there.\nSamples can be obtained from for example Koodous.\nNetflix BETA\n* Package name: iyq.bmjhaqtqndshhxmrzeyxaaepaxxahy\n* SHA256: b087728f732ebb11c4a0f06e02c6f8748d621b776522e8c1ed3fb59a3af69729\nPostbank\n* Package name: jihpynmjnsftqlslbg.iraqakpzzdzspqbneq\n* SHA256: 5bb9b9173496d8b70093ef202ed0ddddd48ad323e594345a563a427c1b2ebc22\nYouporn\n* Package name: cisfm.rygkfxpsyyldznvjufubiacoriibbx\n* SHA256: c8f753904c14ecee5d693ce454353b70e010bdaf89b2d80c824de22bd11147d5\nAndroid Update\n* Package name: mor.yehoeiphksbxbwfigcopschkhfxpkj\n* SHA256: c172567ccb51582804e589afbfe5d9ef4bc833b99b887e70916b45e3a113afb8\nDHL Express Mobile\n* Package name: ijrtc.jwieuvxpjavuklczxdqecvhrjcvuho\n* SHA256: fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d\nMobilfunknetz Update\n* Package name: com.tpvxjnxophkekmritrhjyeyrbnfsyl\n* SHA256: a1258e57c013385401d29b75cf4dc1559691d1b2a9afdab804f07718d1ba9116\nBloomberg PRO\n* Package name: djgd.zvnnpjllwxrnqcvdonprixxpizlfzg\n* SHA256: a1258e57c013385401d29b75cf4dc1559691d1b2a9afdab804f07718d1ba9116\nAlzashop.com\n* Package name: atlk.ussdpifhzgedqrysfygranbxmffhck\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\nPage 16 of 19\n\n* SHA256: ed2b26c9cf4bc458c2fa89476742e9b0d598b0c300ab45e5211f29dfd9ddd67b\r\nSuper Mario Run\r\n* Package name: vlhtc.hsicifsgxehymvdvajyzyckijyatpo\r\n* SHA256: be6c8a4afbd4b31841b2d925079963f3bd5422a5ee5f248c5ed5013093c21cf9\r\nRuntastic\r\n* Package name: zwhp.nbneaijecxwskcxtlkvmnqkryxgdgq\r\n* SHA256: ec4d182b0743dbdedb989d4f4cb2d607034ee1364c30103b2415ea8b90df8775\r\nWhatsapp Security\r\n* Package name: com.wood\r\n* SHA256: 5a9e3d2c2ef29b76c628e70a91575dc4be3999b60f34cab35ee70867faaff4a0\r\nPostbank Sicherheitszertifikat\r\n* Package name: zcdr.kmvxvlidqpezvegypetddrutebanrp\r\n* SHA256: 5df132235eccd1e75474deca5b95e59e430e23a22f68b6b27c2c3a4aeb748857\r\nPošta Online\r\n* Package name: nkl.gewpfvqsnxehngqtzjlhrcqivqsqhw\r\n* SHA256: 25e07c50707c77c8656088a9a7ff3fdd9552b5b8022d8c154f73dca1e631db4f\r\n360 Security\r\n* Package name: com.p360courv\r\n* SHA256: f7743a01fc80484242d59868938ec64990c19bea983fb58b653822c9ee3306a1\r\nVolksbank Sicherheitszertifikat\r\n* Package name: amise.syrwhshjopuvyqhrucvvosjjcnrbrz\r\n* SHA256: 6f8b7aa6293238d23b1c5236d1c10cecc54ec8407007887e99ea76f9fce51075\r\nING Beveiligingsupdate\r\n* Package name: com.ingbvupdd\r\n* SHA256: 7f08cc20aa6e1256f6a8db3966ac71ad209db6dff14a6dde0fd7b2407c2c23e7\r\nGoogle Play Services\r\n* Package name: cosmetiq.fl\r\n* SHA256: b4e5affbc3ea94eb771614550bc83fde85f90caddcca90d25704c9a556f523da\r\nC2s\r\nhxxps://loupeacara.net/flexdeonblake/\r\nhxxps://sarahtame.at/flexdeonblake/\r\nhxxps://loupeahak.com/flexdeonblake/\r\nhxxps://chudresex.at/flexdeonblake/\r\nhxxps://chudresex.cc/flexdeonblake/\r\nhxxps://memosigla.su/flexdeonblake/\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 17 of 19\n\nhxxps://rockybalboa.at/angelkelly/\r\nhxxps://storegoogle.at/angelkelly/\r\nhxxps://trackgoogle.at/angelkelly/\r\nhxxps://track-google.at/angelkelly/\r\nhxxps://coupon-online.fr/angelkelly/\r\nhxxps://inovea-engineering.com/angelkelly/\r\nhxxps://lingerieathome.eu/angelkelly/\r\nhxxps://playgoogle.at/angelkelly/\r\nhxxps://i-app5.online/MUCHTHENWERESTO/\r\nhxxps://i-app4.online/MUCHTHENWERESTO/\r\nhxxps://i-app1.online/MUCHTHENWERESTO/\r\nhxxps://176.119.28.74/balls51/\r\nhxxps://soulreaver.at/balls51/\r\nhxxps://olimpogods.at/balls51/\r\nhxxps://divingforpearls.at/balls51/\r\nhxxps://fhfhhhrjtfg3637fgjd.at/CHECKPIECEUNTIL/\r\nhxxps://dfjdgxm3753u744h.at/CHECKPIECEUNTIL/\r\nhxxps://dndzh457thdhjk.at/CHECKPIECEUNTIL/\r\nhxxps://playsstore.mobi/QUESTIONROADFAR/\r\nhxxps://secure-ingdirect.top/CHECKPIECEUNTIL /\r\nhxxps://playsstore.net/QUESTIONROADFAR/\r\nhxxps://compoz.at/crystalknight/\r\nhxxps://cpsxz1.at/crystalknight/\r\nhxxps://securitybitches3.at/jadafire/\r\nhxxps://wqetwertwertwerxcvbxcv.at/jadafire/\r\nhxxps://securitybitches1.at/jadafire/\r\nhxxps://ldfghvcxsadfgr.at/jadafire/\r\nhxxps://weituweritoiwetzer.at/jadafire/\r\nhxxps://wellscoastink.biz/jadafire/\r\nhxxps://deereebee.info/jadafire/\r\nhxxps://ssnoways.info/jadafire/\r\nhxxps://elitbizopa.info/jadafire/\r\nhxxps://filllfoll.biz/jadafire/\r\nhxxps://bizlikebiz.biz/jadafire/\r\nhxxps://barberink.biz/jadafire/\r\nhxxps://nowayright.biz/jadafire/\r\nhxxps://messviiqqq.info/jadafire/\r\nhxxps://qqqright.info/jadafire/\r\nhxxps://sudopsuedo1.su/sinnamonlove/\r\nhxxps://sudopsuedo2.su/sinnamonlove/\r\nhxxps://sudopsuedo3.su/sinnamonlove/\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 18 of 19\n\nhxxps://androidpt01.asia/CONTAINSURE/\r\nhxxps://androidpt02.asia/CONTAINSURE/\r\nPreventing infection\r\nUsers should avoid downloading apps from a third-party and only use Google Play Store (so do not enable\r\ninstallation from unknown sources). Take note however that even in the Google Play Store apps are not\r\nnecessarily malware free. Check if the requested privileges correspond with the expected privileges of the app you\r\nwant to install. Also, never click on a suspicious link in SMS and email messages even it is from trusted contacts.\r\nConclusion\r\nMarcher is growing into a mature Trojan with solid organization behind it like many of the banking malware\r\nvariants we have seen over the years on the Windows platform (Sinowal/Torpig, Dyre, Dridex, Gozi, etc.).\r\nDevelopment of new features and support for newer Android versions is ongoing and we will be keeping an eye\r\non it to see where things are going. The main actors of Marcher appear to not only make money off the stolen\r\ncredentials but also from providing their Trojan to other groups and selling new capabilities such as the SOCKS\r\nmodule and new injects.\r\nBased on the statistics we found on this one C2 panel we researched and the amount of different C2 panels out\r\nthere, we believe that the potential financial losses due to Android banking Trojans are, or will soon be, bigger\r\nthan the current losses from desktop malware like Gozi and Dridex, especially since hardly any of the banking\r\napps seem to detect the attack.\r\nIf you yourself want to remain safe from malware, be vigilant when installing new applications on your device\r\nand try to keep your device up-to-date. From Google’s side we are seeing some improvements on the Android\r\nplatform itself to combat techniques used by malware. The current techniques used to retrieve the foreground app\r\nfor example are no longer working on Android 7. However, more can be done to improve platform security,\r\nespecially around the “Unknown Sources” setting. To quote Yorick Koster, who has been testing mobile app\r\nsecurity on all platforms for many years: “all these MDM solutions require you to enable Untrusted Sources. I\r\ndon’t know why Google doesn’t have a solution for this yet, like Apple does with enterprise certificates”.\r\nWe have been worrying about security on desktop computers for decades. Now, with mobile malware on the rise,\r\nit’s about time everyone starts worrying about mobile device security, especially considering that for many\r\ntargeted financials most transactions these days take place on mobile devices.\r\nSecurify’s Client Side Detection for Android solution\r\nFor organizations interested in detecting Android banking malware on customer devices, please contact us to\r\nlearn how our CSD solution can adaptively detect merging mobile and web banking Trojan threats.\r\nSource: https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nhttps://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
	],
	"report_names": [
		"exobot_android_banking_trojan_on_the_rise.html"
	],
	"threat_actors": [
		{
			"id": "7d5531e2-0ad1-4237-beed-af009035576f",
			"created_at": "2024-05-01T02:03:07.977868Z",
			"updated_at": "2026-04-10T02:00:03.817883Z",
			"deleted_at": null,
			"main_name": "BRONZE PALACE",
			"aliases": [
				"APT15 ",
				"BRONZE DAVENPORT ",
				"BRONZE IDLEWOOD ",
				"CTG-6119 ",
				"CTG-6119 ",
				"CTG-9246 ",
				"Ke3chang ",
				"NICKEL ",
				"Nylon Typhoon ",
				"Playful Dragon",
				"Vixen Panda "
			],
			"source_name": "Secureworks:BRONZE PALACE",
			"tools": [
				"BMW",
				"BS2005",
				"Enfal",
				"Mirage",
				"RoyalCLI",
				"RoyalDNS"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775446540,
	"ts_updated_at": 1775792087,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b30470b6b6494095ab9064d0d2ae2c364ffcdddf.pdf",
		"text": "https://archive.orkl.eu/b30470b6b6494095ab9064d0d2ae2c364ffcdddf.txt",
		"img": "https://archive.orkl.eu/b30470b6b6494095ab9064d0d2ae2c364ffcdddf.jpg"
	}
}