Android Trojan ‘Octo’ allows cyber crooks to commit fraud on the device


Security researchers from Threat Fabric have analyzed an Android banking Trojan that allows its operators to perform fraud on the device.

Dubbed Octo, the botnet was first mentioned on dark web forums in January 2022, but an analysis of its code revealed a close connection to ExobotCompact, which is believed to be the successor to the Exobot Android Trojan itself. source-based. Walk Trojan code.

Exobot was used in numerous attacks against financial institutions in Australia, France, Germany, Japan, Thailand and Turkey, and was maintained until 2018.

ExobotCompact emerged as a lite version of the Trojan, with at least four variants observed so far, the most recent of which appeared in November 2021. The malware was even distributed via a dropper app released on Google Play – Fast Cleaner – where it has garnered over 50,000 downloads.

ExobotCompact can load malicious payloads, has keylogging capabilities and supports a variety of commands, based on which it can block notifications, target apps with overlay attacks, intercept SMS, lock the screen and mute, open URLs, launch apps, view push notifications, send text messages, and start remote access sessions.

[ READ: SharkBot Android Malware Continues Popping Up on Google Play ]

According to Threat Fabric, the Octo malware that appeared in January is an updated and renamed version of ExobotCompact. Its most important new feature, they point out, is a remote access capability that allows operators to perform on-device fraud (ODF).

“ODF is the most dangerous, risky and discreet type of fraud, where transactions are initiated from the same device the victim uses every day. In this case, anti-fraud engines are challenged to identify fraudulent activity with a significantly lower number of suspicious indicators compared to other types of fraud performed through different channels,” notes Threat Fabric.

Remotely controlling a device requires screen casting and a way to perform actions, and the malware uses Android’s built-in features for this, namely MediaProjection and AccessibilityService, which provide near-time visibility. real about what is happening on the device screen.

To hide its malicious activities, the malware uses an option to display a black screen overlay and another to disable all notifications. At the same time, depending on the commands received, the malware can perform gestures and clicks, perform specific actions, set clipboard text and paste clipboard content.

Using these commands, an operator can use Octo to initiate fraudulent transactions and automatically authorize them, says Threat Fabric.

[ READ: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications ]

The Octo botnet is “owned” by a threat actor named Architect, who is likely the same person behind Exobot and the first version of ExobotCompact as well. However, security researchers believe that there are currently at least five different actors using the botnet.

“The rebranding to Octo erases previous ties to the Exobot source code leak, inviting multiple threat actors looking for an opportunity to lease a supposedly new and original Trojan. Its capabilities endanger not only explicitly targeted apps that are targeted by an overlay attack, but any app installed on the infected device as ExobotCompact/Octo is able to read the contents of any app displayed on the screen and to provide the actor with enough information to remotely. interact with it and perform on-device fraud (ODF),” concludes Threat Fabric.

Related: Over 100 Million Android Users Have Installed “Dark Herring” Scam Software

Related: Tens of Thousands of “AbstractEmu” Android Rooting Malware Downloads

Related: GriftHorse Android Trojan Infects Over 10 Million Devices Worldwide

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:


Comments are closed.