Thursday, December 5, 2024
HomeAndroidOcto2 Android Malware Attacking To Steal Banking Credentials

Octo2 Android Malware Attacking To Steal Banking Credentials

Published on

SIEM as a Service

The original threat actor behind the Octo malware family has released a new variant, Octo2, with enhanced stability for remote action capabilities to facilitate Device Takeover attacks. 

This new variant targets European countries and employs sophisticated obfuscation techniques, including the Domain Generation Algorithm (DGA), to evade detection and ensure the Trojan remains undetected.

The Exobot malware family, initially a banking trojan, evolved into ExobotCompact in 2019. In 2021, a new variant, dubbed “Coper,” was discovered, which was identified as ExobotCompact, and in 2022, ExobotCompact was rebranded as “Octo.” 

- Advertisement - SIEM as a Service
History of the Family
History of the Family

Since then, Octo has gained popularity among threat actors due to its leaked source code and new version, Octo2, which offers enhanced remote access capabilities.

This has led to increased activity and campaigns involving Octo in the mobile threat landscape.

The analysis of Octo2 malware reveals its global targeting potential as the malware-as-a-service platform has been observed in various regions, including Europe, the USA, Canada, the Middle East, Singapore, and Australia. 

Octo2’s settings focus on intercepting push notifications from specific applications, suggesting potential attack targets.

Initial campaigns were seen in Italy, Poland, Moldova, and Hungary, but broader global targeting is expected, while Zombinder is used to bypass Android 13+ restrictions and install Octo2.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Zombinder lured the victim into allowing the installation of Octo2
Zombinder lured the victim into allowing the installation of Octo2

It has been updated with several improvements to enhance its remote control stability during Device Takeover attacks and to evade detection and analysis, which include enhanced anti-detection and anti-analysis techniques, making it more difficult for security solutions to identify and block the malware. 

Additionally, Octo2 has been optimized to improve the stability of remote control sessions, ensuring that attackers can more reliably maintain control over compromised devices.

It has also been updated with enhanced RAT capabilities, including a new setting to reduce data transmission and improve connection stability on poor networks. 

The malware’s anti-analysis and anti-detection techniques have also been strengthened by implementing a more complex obfuscation process involving native code decryption and dynamic library loading.

This makes Octo2 more resilient to detection and analysis, posing a greater threat to security.

It employs a Domain Generation Algorithm (DGA) to dynamically generate C2 server names, making it difficult to track and block.

It also uses a cryptographic salt to generate a unique encryption key for each C2 request to enhance security and make data interception more challenging. 

According to Threat Fabric, this combination of techniques poses a significant threat to mobile banking security as it makes Octo2 more resilient to detection and removal.

The Octo2 mobile malware variant poses a significant threat to banking security due to its advanced features, including remote access, obfuscation, and easy customization.

Its predecessor’s leaked source code has contributed to its widespread availability and adaptability. 

By invisibly performing on-device fraud and intercepting sensitive data, Octo2 can target mobile banking users globally.

To mitigate this risk, users and financial institutions must prioritize strong security measures and stay vigilant against evolving threats.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...