A nation-state hacker
Exobot attacks may escalate even more, in the event that the malware’s source code is leaked by hackers iStock

The creator of one of the most advanced Android banking malware variants called Exobot, also known as Marcher, sold the malware's source code on an underground hacking forum before he called it quits. The sale raises concerns about the possibility of new versions of the malware being created to launch widespread attacks on Android users.

The banking malware has been around since 2016 and has undergone several upgrades that have only increased the malware's capabilities, allowing hackers to rake in as much money as possible. Exobot's author had previously been renting out the malware to other hackers – yet another way for the cybercriminal to make more money.

However, in December 2017, the malware's creator, going by the simple pseudonym "android", advertised on an underground hacking forum that he would sell the Exobot malware's source code to "a limited number of buyers" before he quit the business. According to SyfLabs mobile security researcher Cengiz Han Sahin, the hacker bragged about becoming "very rich" after the sale. The researcher suspects that the cybercriminal could actually have struck gold with the sale of the Exobot's source code.

When a malware's source code is sold, it usually has a snowball effect in the proliferation of the malware, with hackers experimenting and creating new versions. The sale of the Exobot's source code also led to a similar scenario, with escalated attacks already detected.

"Less than a month after the actor started selling the Exobot source code, new campaigns in Austria, England, Netherlands and Turkey where discovered. During our investigation, we were surprised to discover that the bot count (number of infected devices) in Turkey was three times higher than those of botnets targeting other countries," Sahin said in a blog.

A new campaign, leveraging the Exobot malware and targeting banks in Turkey was discovered by SyfLabs researchers last month. The campaign is currently ongoing and has already infected over 4,400 devices. The hackers behind the new campaign have already had "a lot of success performing financial fraud on the targeted Turkish banks".

The new campaign also raises concerns that Exobot attacks may escalate even more, in the event that the malware's source code is leaked by hackers that currently possess it. Last year, the source of the proliferate banking Trojan BankBot was leaked online, leading to a widespread proliferation via malicious apps on Google Play Store. Over the past year, Google continually had to fend off BankBot laced apps infecting its users – a similar scenario could possibly also bring a new wave of attacks leveraging Exobot.