Cybersecurity researchers have identified a new version of the Android banking trojan known as Octo, which features enhanced capabilities for device takeover (DTO) and executing fraudulent transactions. This new iteration, codenamed Octo2 by the malware author, has been detailed in a report by the Dutch security firm ThreatFabric, which has observed campaigns distributing the malware in various European countries, including Italy, Poland, Moldova, and Hungary.
“The malware developers have implemented measures to enhance the stability of the remote actions necessary for Device Takeover attacks,” ThreatFabric stated.
Some of the malicious applications harboring Octo2 include:
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Octo was first flagged by ThreatFabric in early 2022 and is attributed to a threat actor known by the online aliases Architect and goodluck. It has been assessed as a “direct descendant” of the Exobot malware, which was initially detected in 2016 and later gave rise to a variant called Coper in 2021.
“Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018, targeting financial institutions through various campaigns in Turkey, France, Germany, Australia, Thailand, and Japan,” ThreatFabric noted previously.
The emergence of Octo2 is largely attributed to the leak of the Octo source code earlier this year, which has enabled other threat actors to create multiple variants of the malware. A significant development is Octo’s transition to a malware-as-a-service (MaaS) model, as reported by Team Cymru. This shift allows the developer to monetize the malware by offering it to cybercriminals seeking to carry out information theft operations.
“When promoting the update, the owner of Octo announced that Octo2 will be available to users of Octo1 at the same price with early access,” ThreatFabric added. “We can expect that actors previously operating Octo1 will migrate to Octo2, thereby integrating it into the global threat landscape.”
Among the notable improvements in Octo2 is the introduction of a Domain Generation Algorithm (DGA) to create command-and-control (C2) server names, along with enhanced stability and anti-analysis techniques.
The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which allows the trojanization of legitimate applications to retrieve the actual malware (in this instance, Octo2) under the guise of installing a “necessary plugin.”
“With the original Octo malware’s source code already leaked and readily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and advanced obfuscation techniques,” ThreatFabric emphasized.
“This variant’s capacity to invisibly execute on-device fraud and intercept sensitive data, combined with its customizable nature for different threat actors, heightens the risk for mobile banking users worldwide.”