Introduction

Banks and other financial institutions are being targeted by rogue Android apps that have been installed from the official Google Play Store more than 50,000 times cumulatively.

The name of the malware is Octo and the malware is able to take control of the device and perform remote commands on it, compromising the important information including the banking details of the user.

According to a ThreatFabric report, Octo is apparently a rebranded version of ExobotCompact, a “lite” replacement for its Exobot predecessor.

The big difference between the two is that Octo comes with an advanced remote access module. This module helps hackers to perform on-device fraud, as it lets them control the compromised Android device remotely through a live screen streaming module which is updated every second.

 

How is it spread?

Once installed on the device, Octo hides remote operations on the device with a black screen overlay. The malware also disables all notifications of the device by activating a “no interruption” mode in addition to setting the screen brightness to zero. As a result, it appears that the device is turned off, leaving the device owner with no idea what is going on. Meanwhile, the malware is able to execute commands remotely.

Additionally, Octo includes a keylogger capable of monitoring and recording all actions performed on infected Android devices. A list of these commands includes blocking push notifications, intercepting SMS, activating temporary screen locks, disabling sounds, starting and stopping remote sessions, launching applications remotely, opening URLs, and even sending SMSs to specific numbers.

In addition to a powerful keylogger, the Octo malware records all user actions on the infected Android devices and can be used to monitor and record them. By installing a keylogger, a hacker can record passwords entered by a user, websites visited, and elements clicked on a system, giving away vital information that can be used to track a user’s baking habits.

Unlike other Android banking trojans, these rogue apps do nothing more than deploy the malicious payload embedded within them. The list of Octo and Coper droppers used by multiple threat actors is below –

• Pocket Screencaster
• Fast Cleaner 2021
• Play Store
• Postbank Security
• Pocket Screencaster
• BAWAG PSK Security
• Play Store app install

They are distributed through the Google Play store and through fraudulent landing pages which purport to alert users that they need to download a browser update through these apps posing as Play Store app installers, screen recorders, and financial apps.

 

The Ultimate Goal

The goal is to allow the automatic initiation of fraudulent transactions and their authorization without the operator’s participation or intervention, thereby allowing fraud on a significantly larger scale.

A new study published by AppCensus found 11 apps with over 46 million installations that were equipped with the Coelib third-party SDK, which enabled it to track clipboard contents, GPS data, email addresses, phone numbers, even the modem router MAC address and network SSID of the users.

 

Recommendations:

• Continually update the computer and mobile device
• Employ antivirus software and anti-malware protection on device
• Use good and unique password habit
• Regular backup of data
• Keep the personal information personal
• Secure the network connection
• Don’t click on unknown attachment