Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions.
The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary.
"The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said.
Some of the malicious apps containing Octo2 are listed below -
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)
Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed to be a "direct descendant" of the Exobot malware originally detected in 2016, which also spawned another variant dubbed Coper in 2021.
"Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan," ThreatFabric noted at the time.
"Subsequently, a 'lite' version of it was introduced, named ExobotCompact by its author, the threat actor known as 'android' on dark-web forums."
The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware.
Another major development is Octo's transition to a malware-as-a-service (MaaS) operation, per Team Cymru, enabling the developer to monetize the malware by offering it to cybercriminals who are looking to carry out information theft operations.
"When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access," ThreatFabric said. "We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape."
One of the significant improvements to Octo2 is the introduction of a Domain Generation Algorithm (DGA) to create the command-and-control (C2) server name, as well as improving its overall stability and anti-analysis techniques.
The use of a DGA-based C2 system has an inherent advantage in that it allows the threat actor to easily shift to new C2 servers, rendering domain name blocklists ineffective and improving resilience against potential takedown attempts.
The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which makes it possible to trojanize legitimate applications such that they retrieve the actual malware (in this case, Octo2) under the guise of installing a "necessary plugin."
There is presently no evidence to suggest that Octo2 is propagated via the Google Play Store, indicating that users are likely either downloading them from untrusted sources or being tricked into installing them via social engineering.
A Google spokesperson confirmed to The Hacker News that the company did not find any evidence of the malware on the official storefront, and that Google Play Protect automatically protects users from known versions of the malware.
"With the original Octo malware's source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques," ThreatFabric said.
"This variant's ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally."
(The story was updated after publication on October 4, 2024, to include a response from Google.)