{
	"id": "a1d0106d-2f60-47cb-8a01-25c87035ac71",
	"created_at": "2026-04-06T00:12:56.305787Z",
	"updated_at": "2026-04-10T03:23:51.393144Z",
	"deleted_at": null,
	"sha1_hash": "b58a41ba2e89c384a4b2573d9e14d8f6f366b2cf",
	"title": "Source Code for Exobot Android Banking Trojan Leaked Online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 985112,
	"plain_text": "Source Code for Exobot Android Banking Trojan Leaked Online\r\nBy Catalin Cimpanu\r\nPublished: 2018-07-23 · Archived: 2026-04-05 22:38:50 UTC\r\nThe source code of a top-of-the-line Android banking trojan has been leaked online and has since rapidly spread in the\r\nmalware community, worrying researchers that a new wave of malware campaigns may be in the works.\r\nThis malware's name is Exobot, an Android banking trojan that was first spotted at the end of 2016, and which its authors\r\nmysteriously abandoned by putting its source code for sale in January this year.\r\nIn day to day operations, malware authors sell monthly or weekly access to their malware in what security researchers call\r\nMaaS (Malware-as-a-Service) or CaaS (Cybercrime-as-a-Service).\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nBut when a malware author sells the malware's entire source code, this usually means the malware author is moving to\r\nsomething else and doesn't want to work on it anymore. Usually, that source code leaks online after enough people buy it.\r\nExobot source code leaked online in May\r\nThis happened many times in the past with all sorts of malware strains, and it also happened to Exobot, as last month,\r\nBleeping Computer received a copy of this source code from an unknown individual.\r\nBleeping Computer has shared this source code and verified its authenticity with security researchers from ESET and\r\nThreatFabric.\r\nThe code proved to be version 2.5 of the Exobot banking trojan, also known as the \"Trump Edition,\" one of Exobot's last\r\nversion before its original author gave up on its development.\r\nSecurity researchers from ThreatFabric have told Bleeping Computer that the Exobot trojan source code we received had\r\nactually leaked online in May when one of the users who bought it from the original author decided to share it with the\r\ncommunity.\r\nSince then, Bleeping Computer has discovered that the Exobot source code is now being distributed on quite a few\r\nunderground hacking forums.\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nPage 3 of 5\n\nSecurity researchers fear rise in Exobot campaigns\r\nSecurity researchers are now afraid that the code's proliferation may lead to a surge in malware campaigns that will push\r\nmalicious Android apps infected with this trojan.\r\nBut these aren't just warnings from \"fearmongering\" security researchers. Something like this has happened before.\r\nIn December 2016, the source code of the BankBot Android banking trojan leaked online, and it led to a massive outburst of\r\nmalware campaigns pushing the trojan in 2017.\r\nThe BankBot code's availability lowered the entry barrier and financial costs for wannabe malware authors to enter the\r\nAndroid malware scene. Now, with Exobot being shared in the same way, security researchers are bracing for a similar surge\r\nof campaigns.\r\nExobot is very powerful\r\nCengiz Han Sahin, security researcher and spokesperson with ThreatFabric, says that Exobot is a pretty potent banking\r\ntrojan, capable of infecting even smartphones running the latest Android versions, something that very few trojans can do.\r\n\"All threat actors have been working on timing injects (overlay attacks) to work on Android 7, 8, and even 9,\" Sahin says.\r\n\"However Exobot really is something new.\r\n\"The trojan gets the package name of the foreground app without requiring any additional permissions,\" he says, \"This is a\r\nbit buggy, still, but works in most cases.\"\r\n\"The interesting part here is that no Android permissions are required,\" Sahin adds. \"All other Android banking trojans\r\nfamilies are using the Accessibility ore Use Stats permissions to achieve the same goal and therefore require user interaction\r\nwith the victim.\"\r\nSo not only is Exobot's source code freely accessible, but its also of pretty effective, just like the BankBot code was top-of-the-line when it was leaked in 2016. In the coming months, we may see Android malware devs slowly migrating their\r\ncampaigns from BankBot to Exobot, as few will decline a \"free upgrade\" to a better code.\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nhttps://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/"
	],
	"report_names": [
		"source-code-for-exobot-android-banking-trojan-leaked-online"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434376,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b58a41ba2e89c384a4b2573d9e14d8f6f366b2cf.pdf",
		"text": "https://archive.orkl.eu/b58a41ba2e89c384a4b2573d9e14d8f6f366b2cf.txt",
		"img": "https://archive.orkl.eu/b58a41ba2e89c384a4b2573d9e14d8f6f366b2cf.jpg"
	}
}