Octo Banking Trojan

Cybersecurity researchers were able to catch the traces of another potent Android banking Trojan. The threat has been tracked as Octo, and according to the analysis performed by malware researchers, is it part of a mobile malware family known as Exobot. More specifically, Octo appears to be a revised version of the ExobotCompact threat. This rebrand may have been done by cybercriminals, as an attempt to present the new variants as brand new threatening creations and distance them from the fact that Exobot's source code got leaked.

Decoy Applications

The Octo threat was distributed via corrupted applications that act as droppers. Some of the applications were available for a time on the Google Play Store, where they managed to amass over 50 thousand downloads. Octo's operators also employed deceptive websites and landing pages that dropped the applications to the victim's devices, under the guise of browser updates. The rogue applications were posing as application installers, screen recorders, and financial applications. Some of the identified applications delivering the Octo threat included Pocket Screencaster (com.moh.screen), Fast Cleaner 2021 (vizeeva.fast.cleaner), Postbank Security (com.carbuildz), BAWAG PSK Security (com.frontwonder2), Play Store app install (com.theseeye5), etc.

Threatening Capabilities

Users would be asked to grant Accessibility Services permissions to the fraudulent programs. Another legitimate service exploited by Octo is Android's MediaProjection API. It enables the threat to capture the contents of the device's screen in real-time. In practice, this means that Octo can perform on-device fraud (ODF) automatically without manual input from its operators. The threat can perform overlay attacks against multiple financial and banking applications to obtain the user's log-in credentials. Octo also can establish keylogging routines, harvest contact information, gain remote control over the device and more. The threat also is equipped with evasion techniques to make detection more difficult and persistence mechanisms to ensure its prolonged presence on the compromised devices.