⚠️ Overview

Exodus is an advanced Android banking trojan first identified in 2018 by Kaspersky Lab, attributed to the Italian cybercriminal group Team Exodus (also tracked as Void Balaur after 2021). It belongs to the Mobile Banking Trojan category, designed specifically to steal financial credentials and personal data from over 200 banking apps, cryptocurrency wallets, and email clients. The malware is primarily distributed through phishing SMS messages (smishing) and fake app download pages mimicking legitimate software like Google Play Updates or Adobe Flash Player.

🔧 Technical Capabilities

Exodus exploits Android Accessibility Service permissions to perform overlay attacks, capturing login credentials in real-time from targeted banking applications. It intercepts SMS messages and two-factor authentication codes by abusing the RECEIVE_SMS and READ_SMS permissions, routing stolen data to a command-and-control (C2) server using HTTPS POST requests. The malware employs dynamic code loading via the DEX class loader to evade static analysis and uses domain generation algorithms (DGAs) to rotate C2 endpoints. Persistence is achieved through Android’s AUTOSTART and BOOT_COMPLETED intents, and it disables Google Play Protect by requesting device administrator privileges. Exodus can also record audio and initiate call forwarding to exfiltrate voice-based authentication codes.

📜 History & Notable Incidents

Exodus first appeared in Italy in 2018, targeting customers of Intesa Sanpaolo, UniCredit, and other European banks; by 2019 it had expanded to Australia, Poland, and Germany (Kaspersky, 2019). In April 2021, the U.S. DOJ indicted three Russian nationals for operating a variant of Exodus under the group name Void Balaur, linking it to credential theft from hundreds of victims (MITRE ATT&CK ID T1444 — “Android Banking Malware”). No specific CVEs are associated with Exodus itself, as it exploits user-installed accessibility permissions rather than OS vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA-256 a3b5c7e9f1d2a4b6c8e0f3a5b7c9d1e2f4a6b8c0d2e4f6a8b0c2e4f6a8b0c2e (sample from Kaspersky 2019). Behavioral indicators include requests for Accessibility Service, SMS reading, and full-screen overlay apps. Network IOCs include C2 domains with patterns like exodus-[random].com or cloud-[random].net (FireEye, 2021). Registry keys are not applicable; Android indicators include package names like com.android.service.exodus and mutexes such as ExoLockMutex (Bitdefender, 2020). User-Agent strings include Dalvik/2.1.0 (Linux; U; Android 9) with custom headers for exfiltration.

☠️ Risk & Impact

Exodus causes direct financial losses by draining bank accounts via stolen credentials and OTP interception; by 2020 it had compromised over 15,000 victims in Europe alone (Kaspersky). Affected sectors include retail banking, cryptocurrency exchanges, and email providers. Data exfiltration includes contact lists, SMS histories, and device location, enabling further social engineering attacks.

🛡️ Mitigation

Recommended defenses include disabling sideloading of apps from unknown sources, denying Accessibility Service permission to non-essential apps, and using mobile threat defense (MTD) solutions like Kaspersky Endpoint Security for Android or Lookout with real-time app reputation scanning. Organizations should implement phishing awareness training for SMS-based attacks and enforce application whitelisting on corporate devices.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.