Exobot¶
Major MaaS banking trojan that operated from 2016 to 2018, when its author put the source code up for sale. Based on the Marcher trojan, Exobot was one of the most commercially successful Android banking trojans of its era. Its source code leak in May 2018 spawned the ExobotCompact/Coper lineage that eventually became Octo, one of the most active banking trojans of 2022-2025.
Overview¶
| Property | Value |
|---|---|
| First Seen | Late 2016 |
| Last Seen / Status | Author quit January 2018; source leaked May 2018; lives on through Octo lineage |
| Type | Banking trojan / MaaS |
| Attribution | Unknown author; ExobotCompact by actor "android" |
| Aliases | Trojan-Banker.AndroidOS.Marcher (Kaspersky), Marcher (some vendors) |
Distribution¶
Sold as MaaS on underground forums. Distributed to victims via Google Play dropper apps, phishing SMS campaigns, and third-party app stores. Campaigns targeted Turkey, France, Germany, Australia, Thailand, and Japan.
Capabilities¶
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView overlays over banking/financial apps |
| Foreground detection | Used AndroidProcesses library (only public method on Android 6+) |
| SMS interception | 2FA bypass via SMS reading |
| Keylogging | Captured keystrokes |
| Call forwarding | Redirected incoming calls |
| Device lock | Locked device screen |
| Minimal permissions | Did not require root or special permissions beyond INTERNET |
Lineage¶
Exobot has one of the most consequential lineages in Android malware:
graph LR
Marcher["Marcher (2016)"] --> Exobot["Exobot v1/v2 (2016-2018)"]
Exobot --> ExobotCompact["ExobotCompact (2018+)"]
ExobotCompact --> Coper["Coper (2021)"]
Coper --> Octo["Octo (2022)"]
Octo --> Octo2["Octo2 (2024)"]| Stage | Period | Actor | Key Change |
|---|---|---|---|
| Marcher | Early 2016 | Unknown | Original banking trojan |
| Exobot v1/v2 | 2016-2018 | Original author | MaaS evolution, WebView overlays |
| ExobotCompact | 2018+ | "android" | Stripped-down rebuild from leaked source |
| Coper | 2021 | "android" | AV vendor designation for ExobotCompact variant |
| Octo | 2022 | "android" | Rebranded ExobotCompact with ODF via Accessibility + MediaProjection |
| Octo 2 | 2024 | Multiple | Post-Octo leak, enhanced device takeover |