{
	"id": "8561b6a8-f8c7-45dc-a606-e0ae9346c8d9",
	"created_at": "2026-04-06T00:13:39.170531Z",
	"updated_at": "2026-04-10T03:30:33.299892Z",
	"deleted_at": null,
	"sha1_hash": "c30cd9133fd5cba772d2792f9c08a5e6e0376688",
	"title": "New Exo Android Trojan Sold on Hacking Forums, Dark Web",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1605756,
	"plain_text": "New Exo Android Trojan Sold on Hacking Forums, Dark Web\r\nBy Catalin Cimpanu\r\nPublished: 2016-12-09 · Archived: 2026-04-05 14:21:31 UTC\r\nMalware coders are advertising a new Android trojan that can be used for phishing banking credentials, intercepting SMS\r\nmessages, locking devices with a password (ransomware-like behavior), and more.\r\nThe trojan's name is Exo Android Bot, or Exobot, and is being advertised and sold via Jabber/XMPP spam, via hacking\r\nforums, Dark Web marketplaces, and even on the public Internet via a dedicated website.\r\nAccording to the information we were able to unearth, the trojan has been sold as early as mid-June 2016, when its creator\r\n(or one of its creators) had opened a topic on a Russian-speaking hacking forum (image below).\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nShortly after, a listing appeared on AlphaBay, the largest Dark Web marketplace for illegal products.\r\nIn October, someone had also registered a domain on the public Internet, where he now hosts a website, peddling the\r\nmalware.\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 3 of 8\n\nIn November, we also came across Jabber/XMPP spam advertising Exo.\r\nThe trojan is currently sold at different prices, depending where you see an ad for it, but Exo is rented out on a weekly,\r\nmonthly, or yearly basis.\r\nAccording to its creator(s), Exo is worth its price. First of all, Exo works on Android versions 4, 5, and 6. In some ads, it's\r\nalso advertised as working on Android 7, but this may be just false advertising, since not all listings advertise this feature.\r\nFurthermore, crooks boast that the trojan doesn't need root access to work and that users can't uninstall it manually, meaning\r\nthey need to do a complete phone reflashing to get rid of Exo.\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 4 of 8\n\nOther features, taken from the AlphaBay listing are embedded below [original, unaltered text]:\r\n- SMS intercept (send the sms content to admin panel in real time. If is desired with jabber notifications too, can be\r\nconfigured for a target or by sender phone numbers)\r\n- Send SMS for a specified phone number\r\n- Hide/delete incoming sms (this feature works upto android 4.4 version)\r\n- USSD' requests\r\n- Web injects (show phising over targeted app names to steal data, username,password,telepin whatever you want)\r\n- Custom injects could be made under customer request\r\n- CC Stealer (Steal CCs data Including VBV/MSC/SAFEKEY ) (CCs stealer can target the desired apps. Example:\r\nWhatsapp, Viber, the Google the Play Store)\r\n-Jabber notifications for incoming new CCs or WebInject data or the SMS from specified phone numbers Collected\r\n- Lock / unlock device with a password / disable screen and phone use also can show a custom page on locked screen\r\n-Uninstall the bot manually (without the PC / cable) is impossible\r\n- Wi-Fi access / mobile data automatic enabler, if detect stored wifi networks on range\r\n- Send Mass SMS to all contacts from the infected phone\r\n- Control the bot with SMS too in case no internet access\r\n- Exo Android Bot do not need Root privileges to work Correctly\r\n- Admin panel to manage your bots\r\n- Our bot works from 2.3 to 6.0.1 Android versions\r\nThe same AlphaBay listing provides a short FAQ section, which also provides a hint on Exo's origins [original, unaltered\r\ntext] [text in bold]:\r\n- we dont install admin panel files outside our servers , the customer will need to provide us a vps/server root access to\r\ninstall frontend/proxy script\r\n- Customer must provide from 1 to 3 domains names where the bot be pointing to\r\n- we are noob friendly , which means we may guide you to setup all the neccesary stuff for a fast start on this android scene\r\n- if you consider our product is expensive and no worth , is not our problem if you dont have money. or dont have the\r\nintention to use our services and just want troll around\r\n- we are here to make happy our customers and be sure all the features which we are offering it works and continue working\r\noffering a good support\r\n- this project was made from scratch ? answer : No, we purchased a base source code 4 months ago directly from his\r\ndeveloper before he vanish from internet, and we began our own project and development/improvements/new\r\nfeatures\r\n- what if i rent your product and your dissapear? Answer : No definetly we are not going to dissapear or run away least for\r\nthe next year\r\n- what other features are planned for the incoming months? Answer: VNC/Geo Fencing / File Manager Browser and others\r\n- Why you are renting this if is stable and good as you say to be? Answer : Direct Financial to keep improving this project\r\nand be sure will be alive during many time, so we dont need to use our parallels earnings to use on this.\r\n- Where can i contact you? Answer : you may contact us directly on our sales jabber id : [REDACTED] (Serious people with\r\nserious deal only, Haters.Time waster pls stay away)\r\n- we dont provide apk builder\r\n- cleaning service? Answer : we delivery the apk file clenaed and include free cleaning 1 time monthly. for other cleaning\r\nservices can be discussed\r\nAs you can see, the Exo author is providing a control panel for managing infected bots, but which buyers can access only via\r\na proxy client installed on their own servers. Below are two GIFs depicting the Exo control panel, included in some of the\r\nads.\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 5 of 8\n\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 6 of 8\n\nBleeping Computer reached out to one of the contacts listed in many of the ads, and we stumbled upon a person that\r\nadmitted he was only a reseller, meaning Exo already runs its own affiliate system.\r\nBleeping Computer also reached out to Exo's creator(s), but we have not received any reply at the time of publishing.\r\nIn the original hacking forum ad, Exo's creator had listed the times of day during which he wanted to be contacted: \"14:00\r\n— 20:00 MSK\". MSK stands for Moscow Time, which is a pretty reliable (not definitive) clue on the hacker's location,\r\ntaking into account the ad was initially listed on a forum for Russian-speaking hackers.\r\nFurthermore, Exo includes a feature that prevents the trojan from executing on devices from users located in former Soviet\r\nstates, and the US. This filter is likely there so the author may avoid getting on the radar of Russian or US law enforcement\r\nagencies.\r\nBleeping Computer has reached out to several security providers and inquired about campaigns distributing Exo, as to assess\r\nthe status of this current malware family, either as a marginal player or as an active threat.\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nhttps://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/"
	],
	"report_names": [
		"new-exo-android-trojan-sold-on-hacking-forums-dark-web"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434419,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c30cd9133fd5cba772d2792f9c08a5e6e0376688.pdf",
		"text": "https://archive.orkl.eu/c30cd9133fd5cba772d2792f9c08a5e6e0376688.txt",
		"img": "https://archive.orkl.eu/c30cd9133fd5cba772d2792f9c08a5e6e0376688.jpg"
	}
}