New Banking Malware [Octo] Remotely Controls Android Devices

We have learned of an Android banking malware called “Octo” with remote access capabilities that allow attackers to commit fraud on the device.

In mid-2021, a new strain of Android-powered banking malware is confirmed to be on the loose. Some AV companies have called it a new family named “Cooper,” but ThreatFabric’s threat intelligence has made it a direct successor to the fairly well-known “Exobot” malware family.

First observed in 2016, Exobot maintained until 2018 targeting financial institutions in various campaigns focused on Turkey, France, and Germany as well as Australia, Thailand, and Japan. Later, a “lite” version of it appeared and was named ExobotCompact by its creator known as “android” on dark web forums.

Octo is believed to be Android malware that evolved from ExoCompact, a malware variant based on the Exo Trojan horse whose source code was leaked.

Summary of on-device cheating features

An important new feature of Octo compared to ExoCompact is the inclusion of an advanced remote access module that allows attackers to remotely control Android devices to perform on-device fraud (ODF).

Remote access is performed through a live screen streaming module (updated every second) by Android’s MediaProjection and remote actions by the Accessibility Service.

Octo uses a black screen overlay to hide remote control, sets screen brightness to zero, and disables all notifications by enabling “no interruption” mode.

By making it appear that the device is turned off, the malware can perform a variety of tasks without the victim being aware of it. These tasks include tapping the screen, gesturing, writing text, changing the clipboard, pasting data, and scrolling up and down.

Apart from remote access, Octo is equipped with a powerful keylogger that can monitor and record all the victim’s activities on the infected Android device.

This includes PINs entered, websites opened, elements clicked, focus change events, text change events, etc.

Finally, Octo supports a list of various commands, the most important of which are

  • Block push notifications from specified application
  • Intercept SMS
  • Disable sound, temporarily lock screen
  • Start specified application
  • Start/stop remote access session
  • Update C2 list
  • Open specified URL
  • Send SMS with specified text to specified phone number

Octo is sold on Russian-speaking XSS hacking forums and other forums by attackers using the pseudonyms “architect” and “goodluck.”

Leave a Reply

Your email address will not be published.