Beware of new Android banking malware, ‘Octo,’ that features remote access capabilities that malicious operators use for on-device fraud. It’s often used to get control of banking information, and this new trojan can be used to commit fraud using your device.

Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018. The new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on darknet forums.
The new variant comes with an advanced remote access module that enables threat actors to perform on-device fraud (ODF) by remotely controlling the compromised Android device. To enable remote access, Octo takes advantage of Android’s MediaProjection.

Do you know what MediaProjection is? It is a token that grants applications the ability to capture the contents of a device display as a media stream that can be played back or cast to other devices such as a TV. This enables operators of the malware to view the infected android device’s screen remotely. In order to control the device, Octo further abuses Android’s Accessibility service, which is meant to assist visibly impaired users in controlling their mobile devices. Instead, Octo will use it to perform various malicious tasks. By setting the screen brightness to zero, the device will appear as if it is turned off, enabling the malware to execute a variety of different commands without the victim realizing it. Some of the commands that Octo supports include:

  • Enabling SMS interception
  • Disabling sound and temporarily locking the device’s screen
  • Launching a specified application
  • Starting/stopping remote access session
  • Updating list of C2s
  • Opening specified URL
  • Sending SMS with specified text to a specified phone number

Tips for Mitigation

Trojans like Octo that feature remote access modules are becoming more common, rendering robust account protection steps such as two-factor codes obsolete (because the threat actor completely controls the device and its logged-in accounts.) Anything the user sees on their device’s screen becomes within the access of these malware variants, so after infection, no information is safe. That renders every protection measure ineffective. Because of this, users need to remain vigilant, keep the number of apps installed on their smartphones at a minimum, and regularly check to ensure Play Protect is enabled.