A New Variant of Octo2 Android Banking Malware Appears with Device Seizure Abilities
Researchers in cybersecurity have revealed an updated iteration of an Android banking malware known as Octo that now includes enhanced features for executing device seizure (DTO) and carrying out deceptive transactions.
According to a report by the Dutch cybersecurity firm ThreatFabric, this new version has been tagged as Octo2 by its creator, with reports indicating that instances of the malware spreading have been identified in various European nations such as Italy, Poland, Moldova, and Hungary.
“The developers of the malware have taken steps to enhance the reliability of the abilities required for remote actions essential for executing Device Takeover attacks,” the company stated.
Here are some of the malicious applications hosting Octo2 listed below –
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Octo was initially identified by the company in early 2022, identified as the work of an online threat actor who uses the aliases Architect and goodluck. It has been acknowledged as a “direct descendant” of the Exobot malware first detected in 2016, which later spawned another variation known as Coper in 2021.
“Derived from the source code of the banking malware Marcher, Exobot was maintained until 2018 with campaigns targeting financial institutions in countries such as Turkey, France, Germany, Australia, Thailand, and Japan,” ThreatFabric mentioned previously.
“Following this, a ‘lite’ version named ExobotCompact was introduced by the threat actor behind it, known as ‘android’ in dark-web circles.”
The emergence of Octo2 is believed to have been primarily influenced by the leak of the Octo source code earlier this year, which prompted other threat actors to create multiple offshoots of the malware.
Another significant development is Octo’s shift to becoming a malware-as-a-service (MaaS) model, according to Team Cymru, allowing the developer to commercialize the malware by offering it to cybercriminals aiming to execute data theft activities.
“Upon advertising the upgrade, the developer of Octo announced that Octo2 would be accessible to Octo1 users at the same rate with early access,” ThreatFabric revealed. “It is likely that the threat actors who operated Octo1 will transition to Octo2, thus expanding its reach across the global threat landscape.”
One notable enhancement in Octo2 is the inclusion of a Domain Generation Algorithm (DGA) for generating the command-and-control (C2) server name, along with enhancements in stability and anti-analysis strategies.
These rogue Android applications spreading the malware are created using a popular APK binding service known as Zombinder, facilitating the injection of genuine applications with the actual malware (in this case, Octo2) disguised as a “required plugin.”
“With the source code of the original Octo malware already exposed and easily obtainable by various threat actors, Octo2 amplifies this foundation with even more robust remote access capabilities and sophisticated concealment methods,” as mentioned by ThreatFabric.
“The capacity of this variant to carry out invisible on-device fraud and intercept sensitive data, in combination with its ease of customization for various threat actors, elevates the risks for users of mobile banking applications globally.”
About Author
