ExobotCompact.D is a banking trojan that steals sensitive information from mobile banking apps. It is a modular malware that can be customized to target specific banks and financial institutions.

ExobotCompact.D is a banking trojan that steals sensitive information from mobile banking apps. ExobotCompact.D is also known as Octo. It is a modular malware that can be customized to target specific banks and financial institutions. ExobotCompact.d is typically distributed through SMS phishing messages containing malicious links. Once the link is clicked, the malware is installed on the victim’s device.  

Attackers behind ExobotCompact.D spread this trojan through SMS messages that social engineers users to install fake versions of commonly used apps like WhatsApp, Netflix, and Runtastic. Then, using an overlay attack, they displayed a page that appeared to be that of a bank, which enabled them to steal user credentials and details on credit and debit cards. 

The trojan also had another layer of deception: it checked the current app running on the user’s screen. Then, it adapted the phishing overlay to that app so the user would be less likely to suspect it was malicious. The trojan used the Android Process library to determine which app was running in the foreground. The trojan also checked for the existence of antivirus apps and even closed the antivirus app if it detected the trojan. 

ExobotCompact.D was first discovered in February 2017. More than 370 banking apps have been targeted, with victims across Belgium, France, Germany, Italy, and the U.K. ExobotCompact.D employs many advanced tactics while also relying on novel capabilities: 

  • The ExobotCompact.D samples discovered have all been very small apps, typically around 700 KB 
  • The lists of banks targeted and associated overlays could be updated via a command-and-control server. 
  • Discovered samples do not contain native libraries and consist only of Dalvik bytecode, a discontinued virtual machine that executes apps on the Android platform. 
  • It uses the AndroidProcess library, which enables the application to obtain the name of the Android package currently running in the foreground. It was used to detect which targeted banking app is running currently, and then it displays the overlay accordingly. 

Mitigating the Threat of ExobotCompact.D

To protect your mobile banking app and its users from the ExobotCompact.D banking trojan and similar threats, consider implementing the following security measures:

  • Regular Updates: Keep your mobile banking app up-to-date with the latest security patches and enhancements to address known vulnerabilities.
  • User Education: Educate users about downloading the official app from trusted sources and being cautious with app permissions.
  • Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
  • Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
  • Secure Coding: Follow safe coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
  • Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
  • Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
  • Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.

Learn More about Banking Trojan Families

ExobotCompact.D is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today