Cybersecurity researchers have found a brand new model of an Android banking trojan known as Octo that comes with improved capabilities to conduct gadget takeover (DTO) and carry out fraudulent transactions.
The brand new model has been codenamed Octo2 by the malware writer, Dutch safety agency ThreatFabric stated in a report shared with The Hacker Information, including campaigns distributing the malware have been noticed in European nations like Italy, Poland, Moldova, and Hungary.
“The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks,” the corporate stated.
A few of the malicious apps containing Octo2 are listed beneath –
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Octo was first flagged by the corporate in early 2022, describing it because the work of a menace actor who goes by the web aliases Architect and goodluck. It has been assessed to be a “direct descendant” of the Exobot malware initially detected in 2016, which additionally spawned one other variant dubbed Coper in 2021.
“Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan,” ThreatFabric famous on the time.
“Subsequently, a ‘lite’ version of it was introduced, named ExobotCompact by its author, the threat actor known as ‘android’ on dark-web forums.”
The emergence of Octo2 is alleged to have been primarily pushed by the leak of the Octo supply code earlier this 12 months, main different menace actors to spawn a number of variants of the malware.
One other main improvement is Octo’s transition to a malware-as-a-service (MaaS) operation, per Group Cymru, enabling the developer to monetize the malware by providing it to cybercriminals who need to perform info theft operations.
“When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access,” ThreatFabric stated. “We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape.”
One of many vital enhancements to Octo2 is the introduction of a Area Technology Algorithm (DGA) to create the command-and-control (C2) server title, in addition to enhancing its general stability and anti-analysis methods.
Using a DGA-based C2 system has an inherent benefit in that it permits the menace actor to simply shift to new C2 servers, rendering area title blocklists ineffective and enhancing resilience towards potential takedown makes an attempt.
The rogue Android apps distributing the malware are created utilizing a identified APK binding service known as Zombinder, which makes it attainable to trojanize authentic purposes such that they retrieve the precise malware (on this case, Octo2) below the guise of putting in a “necessary plugin.”
There’s presently no proof to recommend that Octo2 is propagated by way of the Google Play Retailer, indicating that customers are seemingly both downloading them from untrusted sources or being tricked into putting in them by way of social engineering.
“With the original Octo malware’s source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques,” ThreatFabric stated.
“This variant’s ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally.”
