Beware: Octo2 Android Malware Steals Banking Credentials

The Exobot malware family, initially a banking trojan, evolved into ExobotCompact in 2019, becoming more compact but retaining key features. In 2021, it resurfaced as “Coper,” then reappeared in 2022 under the alias “Octo,” indicating its ongoing development and adaptability in the mobile malware landscape.

The Octo malware family has seen increased activity since 2022, with more campaigns and actors gaining access. In 2024, a leaked source code led to multiple forks and the release of Octo2 by the original threat actor, further expanding its capabilities and threat landscape.

Octo malware-as-a-service campaigns have targeted various regions worldwide, and the upcoming release of Octo2 is expected to expand its global reach as existing users switch to the new version, potentially increasing the threat landscape.

Campaigns of Octo2

The “block_push_apps” setting in Octo2 reveals that the malware targets specific applications, which intercepts push notifications from these applications, indicating their potential vulnerability to cyberattacks. The presence of these applications on the list suggests pre-planned attacks by cybercriminals.

Threat actors behind Octo2 are targeting users worldwide using mobile banking apps and using Zombinder, a plugin, to bypass Android 13+ restrictions and install Octo2, which masquerades as legitimate applications like Google Chrome, NordVPN, and “Enterprise Europe Network.”

Zombinder lured the victim into allowing the installation of Octo2

To remain competitive, Octo must innovate by adding new features, enhancing existing ones, and improving performance, which will differentiate it from the leaked version and attract customers seeking more advanced capabilities.

Octo2 has been updated to improve remote control session stability and anti-detection, as the developers added a new setting to reduce data transmission and increase connection reliability, even on poor networks, which decreases screenshot quality by encoding pixels with fewer bytes, capturing in grayscale, and reducing JPEG quality.

It employs a multi-layered obfuscation approach, beginning with native code decryption and dynamically loading a library, which further decrypts the payload, generates encryption keys, and determines C2 domains, making it significantly more difficult to analyze and detect compared to previous versions.

By using a date-based DGA, it generates dynamic C2 server names. While this approach can be easily predicted, Octo2 employs a new key for each C2 request using a shared salt for decryption, which ensures ongoing communication without relying on static values.

The leaked Octo malware source code has enabled the development of Octo2, a more sophisticated and harder-to-detect mobile banking Trojan with enhanced remote access capabilities and advanced obfuscation techniques, posing a significant threat to mobile security.

The mobile malware variant, with its advanced remote access, obfuscation, and leaked source code, poses a serious threat to banking security as its ability to invisibly perform on-device fraud and intercept data makes it a major concern for mobile users and financial institutions worldwide.

According to Threat Fabric, three Android applications, NordVPN, Europe Enterprise, and Google Chrome, have been identified as potentially compromised, whose SHA-256 hashes, indicating unique file identifiers, have been found to differ from expected values, suggesting unauthorized modifications or tampering.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here