Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant, Octo2, with enhanced stability for remote action capabilities to facilitate Device Takeover attacks. 

This new variant targets European countries and employs sophisticated obfuscation techniques, including the Domain Generation Algorithm (DGA), to evade detection and ensure the Trojan remains undetected.

The Exobot malware family, initially a banking trojan, evolved into ExobotCompact in 2019. In 2021, a new variant, dubbed “Coper,” was discovered, which was identified as ExobotCompact, and in 2022, ExobotCompact was rebranded as “Octo.” 

Since then, Octo has gained popularity among threat actors due to its leaked source code and new version, Octo2, which offers enhanced remote access capabilities.

This has led to increased activity and campaigns involving Octo in the mobile threat landscape.

The analysis of Octo2 malware reveals its global targeting potential as the malware-as-a-service platform has been observed in various regions, including Europe, the USA, Canada, the Middle East, Singapore, and Australia. 

Octo2’s settings focus on intercepting push notifications from specific applications, suggesting potential attack targets.

Initial campaigns were seen in Italy, Poland, Moldova, and Hungary, but broader global targeting is expected, while Zombinder is used to bypass Android 13+ restrictions and install Octo2.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

It has been updated with several improvements to enhance its remote control stability during Device Takeover attacks and to evade detection and analysis, which include enhanced anti-detection and anti-analysis techniques, making it more difficult for security solutions to identify and block the malware. 

Additionally, Octo2 has been optimized to improve the stability of remote control sessions, ensuring that attackers can more reliably maintain control over compromised devices.

It has also been updated with enhanced RAT capabilities, including a new setting to reduce data transmission and improve connection stability on poor networks. 

The malware’s anti-analysis and anti-detection techniques have also been strengthened by implementing a more complex obfuscation process involving native code decryption and dynamic library loading.

This makes Octo2 more resilient to detection and analysis, posing a greater threat to security.

It employs a Domain Generation Algorithm (DGA) to dynamically generate C2 server names, making it difficult to track and block.

It also uses a cryptographic salt to generate a unique encryption key for each C2 request to enhance security and make data interception more challenging. 

According to Threat Fabric, this combination of techniques poses a significant threat to mobile banking security as it makes Octo2 more resilient to detection and removal.

The Octo2 mobile malware variant poses a significant threat to banking security due to its advanced features, including remote access, obfuscation, and easy customization.

Its predecessor’s leaked source code has contributed to its widespread availability and adaptability. 

By invisibly performing on-device fraud and intercepting sensitive data, Octo2 can target mobile banking users globally.

To mitigate this risk, users and financial institutions must prioritize strong security measures and stay vigilant against evolving threats.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free