Octo Android banking malware

Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud.

What is Octo ?

Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018.

According to the information we were able to unearth, the trojan has been sold as early as mid-June 2016, when its creator (or one of its creators) had opened a topic on a Russian-speaking hacking forum.

Shortly after, a listing appeared on AlphaBay, the largest Dark Web marketplace for illegal products.

The trojan is currently sold at different prices, depending where you see an ad for it, but Exo is rented out on a weekly, monthly, or yearly basis.

According to its creator(s), Exo is worth its price. First of all, Exo works on Android versions 4, 5, and 6. In some ads, it's also advertised as working on Android 7, but this may be just false advertising, since not all listings advertise this feature.

Furthermore, crooks boast that the trojan doesn't need root access to work and that users can't uninstall it manually, meaning they need to do a complete phone reflashing to get rid of Exo.

About the life cycle of malware is how malicious code packages evolve over time. It's a case of threat actors grabbing something that works and then improving or extending it. One example is a breed of banking malware that first popped up in 2016 called Exobot. It went after users in several countries until 2018 when it morphed into ExobotCompact, a remote access trojan (RAT) with several additional subtypes. And recently, cybersecurity researchers discovered Octo, a new RAT that essentially evolved from Exobot but has even more deceptive features like the one that lets the trojan hide its activities even as it turns your phone into a vehicle for committing fraud.

Octo has a lot in common with ExobotCompact, including measures to prevent reverse-engineering the malware and coding that makes it easy to hide inside an innocent-seeming app on the Google Play Store as well as the neat trick of disabling Google Protect upon download. What sets Octo apart, on-device fraud (ODF) functionality. While ODF isn't new to the malware ecosphere, it is the quirk that distinguishes Octo from the rest of the Exobot family of malicious apps.

The remote access is provided through a live screen streaming module (updated every second) through Android's MediaProjection and remote actions through the Accessibility Service.

Octo uses a black screen overlay to hide the victim's remote operations, sets screen brightness to zero, and disables all notifications by activating the "no interruption" mode.

By making the device appear to be turned off, the malware can perform various tasks without the victim knowing. These tasks include screen taps, gestures, text writing, clipboard modification, data pasting, and scrolling up and down.

Apart from the remote access system, Octo also features a powerful keylogger that can monitor and capture all victims' actions on infected Android devices.

This includes entered PINs, opened websites, clicks and elements clicked, focus-changing events, and text-changing events.

Some Octo operators managed to infiltrate the Play Store again after the Fast Cleaner operation was over, using an app named "Pocket Screencaster."

The full list of known Android apps containing the Octo malware is listed below:

• Pocket Screencaster (com.moh.screen)
• Fast Cleaner 2021 (vizeeva.fast.cleaner)
• Play Store (com.restthe71)
• Postbank Security (com.carbuildz)
• Pocket Screencaster (com.cutthousandjs)
• BAWAG PSK Security (com.frontwonder2), and
• Play Store app install (com.theseeye5)

Finally, Octo supports an extensive list of commands, with the most important being:

• Block push notifications from specified applications
• Enable SMS interception
• Disable sound and temporarily lock the device's screen
• Launch a specified application
• Start/stop remote access session
• Update list of C2s
• Open specified URL
• Send SMS with specified text to a specified phone number

Anything the user sees on their device's screen becomes within the access of these malware variants, so after infection, no information is safe, and no protection measure is effective.

That said, users need to remain vigilant, keep the number of apps installed on their smartphones at a minimum, and regularly check to ensure Play Protect is enabled.

Source: 

- New Android banking malware remotely takes control of your device (bleepingcomputer.com)

- Octo Android malware wants to get its tentacles on your banking information (androidpolice.com)