Beware: New Android Banking Malware Can Take Over Your Device, Spread Through Fake Apps

A new and scary Android banking malware that can take over your device and turn it into a vehicle to commit on-device fraud is spreading on many fake apps and bogus websites.

What is Octo?

A new banking Android malware, named Octo, with remote access capabilities that enables malicious actors to execute anything they want to a compromised device has been discovered by the international security experts and researchers at the cybersecurity firm ThreadFabric. Octo or ExobotCompact.D is an evolved Android malware based on ExoCompact, which is a malicious software variant of ExobotCompact, an Exo trojan that had its source code leaked in 2018.

Security experts discovered it after noticing a growing demand for the said malware from several darknet forums users. One of the most striking features of Octo is its advanced remote access module that allows malicious actors to execute on-device fraud (ODF) by controlling the compromised device remotely.

How is it spread?

According to the cybersecurity experts, Octo is being sold on various forums, including the Russian XSS hacking forum. Someone who goes by the name Architect or Goodluck is reportedly responsible for selling the malware online.

Malicious actors also used several apps on the Google Play Store to infect devices with Octo, including the app Fast Cleaner, which had 50,000 installs until it was removed from the online storefront. Other Android apps containing the Octo malware include Pocket Screencaster (com.moh.screen), Fast Cleaner 2021 (vizeeva.fast.cleaner), Play Store (com.restthe71), Postbank Security (com.carbuildz), Pocket Screencaster (com.cutthousandjs), BAWAG PSK Security (com.frontwonder2) and Play Store app install (com.theseeye5).

Other Octo campaigns use fake sites with bogus browser update notices or fake Play Store app update warnings to spread the malware. The "actor behind this campaign was first using a quite large target list that included around 70 applications, but at the time of writing this report, it is also highly focused on customers from a specific country (Hungary) and is distributing ExobotCompact.D under the guise of Play Store update through malicious websites," ThreadFabric reported.

What does Octo do?

The malware utilizes a black screen overlay to conceal the remote operation, while hackers can set the screen brightness to zero and activate the no interruption mode to disable all notifications. It also allows malicious actors to execute several tasks unknown to victims, including screen taps, text writing, clipboard modification, data pasting and gestures.

Aside from the remote access system, Octo comes with a keylogger that can track and collect all the victims' actions. These include gathering entered PINs and passwords and accessing the opened websites. It also supports a long list of commands, including sending SMS to a specified number, blocking push notifications from applications, enabling SMS interception, disabling sound, temporarily locking the device's screen and launching applications, to name a few.