The Android Trojan Octo has now been replaced by the ThreatFabric researchers described in more detail. Octo is based on ExoCompact, a fairly well-known malware variant that has been known since 2018. Octo, on the other hand, is still new and the first campaigns in which the Trojan was used were from this year. According to ThreatFabric, they caught the Trojan in the wild performing various actions on its victims’ smartphones using a remote access feature.
The most important innovation of Octo compared to its predecessors is precisely the advanced remote access module, which allows threat actors to carry out so-called on-device fraud (ODF) by remotely controlling the compromised Android device.
Infographic: These are the most successful subject lines in phishing
Remote access is enabled through a live screen streaming module through Android’s MediaProjection and through remote actions through the Accessibility Service. Octo uses a black screen overlay to hide its actions from the victim’s view. The Trojan sets screen brightness to zero and disables all notifications by enabling “No Interruption” mode. It looks to the victim as if their smartphone is inactive, but in reality a lot can go unnoticed.
Keylogger with remote access
By making the device appear to be powered off, the malware can perform various tasks without the victim’s knowledge. These tasks include gestures, writing text, changing the clipboard, pasting data, and scrolling up and down and transferring data. In addition to the remote access system, Octo also has a powerful keylogger. Therefore, entered PINs and passwords are highly vulnerable.
Octo supports an extensive list of commands, the most important of which are:
- Block push notifications from specific applications
- Enabling SMS interception
- Disabling the sound and temporarily locking the device screen
- Launch a specific application
- Start/end remote access session
- Open a specific URL
- Sending an SMS with a specific text to a specific phone number
“Given the facts, we conclude that ExobotCompact has been renamed the Android banking trojan Octo and is being leased by its owner ‘Architect’ aka ‘Goodluc’. ThreatFabric is tracking this variant as ExobotCompact.D,” the Threat Fabric’s conclusion in their report.
The Trojan spreads via the Google Play Store. Among the recent apps known to have been infected with Octo is an application called Fast Cleaner. The app has since been removed from the store, but had around 50,000 downloads by then. Trojans with remote access modules are becoming more common and take robust account protection measures such as: B. Two-factor codes are obsolete as the threat actor fully controls the device and the logged-in accounts.