Octo, a recently discovered Android banking trojan with remote access capabilities that allows cybercriminals to commit on-device fraud, has been observed in the wild.
Octo was discovered by ThreatFabric security experts, with a subsequent report showing that the trojan is being distributed via darknet market forums and that some malicious actors are interested in buying it.
The Octo Android malware, according to the report, evolved from ExoCompact, a malware variant based on the Exo trojan whose source code was made public in 2018.
Octo’s New “Skills”
Compared to ExoCompact, Octo adds an advanced remote access feature that enables cybercriminals to conduct on-device fraud (ODF) by controlling the affected Android device remotely.
Remote access is provided via the Accessibility Service and a live screen streaming module (updated every second) through Android’s MediaProjection.
As explained by BleepingComputerthe new banking trojan hides the target’s remote processes behind a black screen overlay, sets the screen brightness to zero, and deactivates all notifications by activating the “no interruption” mode.
Octo can carry out multiple tasks without the victim’s knowledge by making the device seem to be shut down. Examples of these tasks include:
- screen taps
- message writing
- clipboard modification
- data pasting scrolling up and down.
In addition to the remote access module, Octo includes a powerful keylogger that can track and record all of the victims’ activities on compromised Android devices, such as entering PINs, browsing websites, and others. Octo Android banking malware supports a long list of commands, including:
- block push notifications from specific applications.
- allow text message interception.
- turn off the sound and lock the device’s screen for a short period of time.
- start a specified application.
- initiate / end remote access session.
- keep list of C2s updated.
- open specified URL Send SMS with specified text to a specified phone number.
Who’s Behind Octo?
As per BleepingComputer, a hacker with the pseudonym “Architect” or “goodluck” sells the new variant on forums such as the Russian-speaking XSS hacking forum. However, while the majority of posts on XSS are in Russian, almost all communication between Octo and prospect customers is in English.
ThreatFabric researchers think that the developer’s malware is either the same creator or a new owner of ExoCompact’s source code given the extensive resemblance with ExoCompact, including Google Play publication success, Google Protect disabling function, and reverse engineering protection system.
ExoCompact also features a remote access system, although a more basic one, as well as command execution delay options and an admin panel that is similar to Octo’s.
Thus, having these facts in mind, we conclude that ExobotCompact was rebranded to Octo Android banking Trojan and is rented by its owner “Architect”, also known as “goodluck”. ThreatFabric tracks this variant as ExobotCompact.D.
One of the most recent Google Play apps to compromise devices with Octo trojan was “Fast Cleaner,” which had 50,000 downloads before it was noticed and removed in February 2022. After the Fast Cleaner campaign was finished, several Octo developers used an app called ” Pocket Screencaster ”to re-infiltrate the Play Store.
Other operations conducted by Octo’s creators were based on websites using fake browser update notifications or false Play Store app update alerts.
Remote access trojans become more common, making strong account security measures like two-factor authentication useless because the cybercriminals have complete control over the device and its logged-in accounts.
This is why users should remain alert, limit the number of apps installed on their devices, and verify if Play Protect is enabled on a regular basis.