Cybersecurity researchers have uncovered an upgraded version of the notorious Android banking trojan "Octo," which comes with enhanced capabilities to take over devices and perform fraudulent transactions. Codenamed Octo2, this evolved malware variant has been spotted in European countries such as Italy, Poland, Moldova, and Hungary, according to a report by the Dutch security firm ThreatFabric, shared with The Hacker News.
Octo2, like its predecessor, is distributed through malicious apps that impersonate legitimate services. Some of the fake apps identified by researchers include:
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Origins of Octo and its Evolution
Octo first gained attention in early 2022, believed to be the creation of a cybercriminal using the online aliases Architect and goodluck. ThreatFabric has described Octo as a direct descendant of the Exobot malware, originally detected in 2016. Exobot targeted financial institutions globally, with its campaigns reaching Turkey, France, Germany, Australia, Thailand, and Japan. It later inspired a variant called Coper in 2021.
Exobot, which is based on the source code of the banking trojan Marcher, was actively maintained until 2018. It targeted financial institutions with sophisticated campaigns, and a "lite" version called ExobotCompact was subsequently developed and distributed on dark-web forums by a threat actor known as android.
The leak of Octo’s source code earlier this year appears to have fueled the development of Octo2, as threat actors quickly seized the opportunity to modify and deploy new variants of the malware.
Malware-as-a-Service: Octo’s New Model
A major shift in the distribution of Octo2 is its transition into a malware-as-a-service (MaaS) model. According to Team Cymru, this new business model allows Octo's developers to monetize the malware by offering it to cybercriminals who are looking to execute information theft operations.
To entice potential users, the developer of Octo announced that Octo2 would be available to Octo1 customers at the same price, with early access. ThreatFabric expects that actors using Octo1 will soon switch to Octo2, expanding its reach across the global threat landscape.
Key Improvements in Octo2
Octo2 introduces significant enhancements compared to its predecessor. One of the standout features is the incorporation of a Domain Generation Algorithm (DGA), which automatically creates the name for the malware’s command-and-control (C2) server. This, coupled with better anti-analysis techniques, makes Octo2 more resilient against detection and takedown efforts.
Moreover, the developers have improved the malware’s stability, particularly in its ability to perform Device Takeover (DTO) attacks. These attacks allow cybercriminals to remotely control an infected device to conduct fraudulent transactions without the user’s knowledge.
Distribution Techniques and Zombinder
The rogue Android apps distributing Octo2 are created using a known APK binding service called Zombinder. This service enables attackers to trojanize legitimate applications, tricking users into downloading what appears to be a normal app. Once installed, the app retrieves the actual malware, in this case, Octo2, under the guise of installing a necessary plugin.
This stealthy distribution mechanism, combined with Octo2’s advanced remote access capabilities, poses a significant threat to mobile banking users globally. Its ability to perform on-device fraud, intercept sensitive data, and operate invisibly has made it a preferred tool for threat actors worldwide.
A Global Threat
With the original Octo’s source code now widely available, Octo2 has capitalized on this foundation by offering more robust remote access features and sophisticated obfuscation techniques. As more threat actors gain access to this enhanced variant, the stakes for mobile banking users around the world are higher than ever.
ThreatFabric warns that Octo2’s ease of customization makes it a versatile tool for cybercriminals, raising concerns about the future of mobile banking security.
In light of these developments, mobile users are urged to exercise caution when downloading apps from unverified sources and stay vigilant against the rising threat of mobile malware.
