A new strain of malware is circulating the internet and seeking to take over your Android device. Once installed, “Octo”, as it is colloquially known, can both see your screen remotely and control your device, all without you knowing. Let’s take a look at where Octo came from, how it works, and how you can avoid it.
What is Octo?
ThreatFabric was the first outlet to discover and report on Octo, which discovered that the strain was an evolution of the Exobot malware family. Since 2016, Exobot malware mainly targets banking business and has evolved into different strains over time. Now, ThreatFabric has identified a strain it calls ExobotCompact.D: on the dark net, however, the malware is called “Octo.”
Many hackers try to break into your accounts from their personal devices, phishing your login details, as well as your MFA codes. However, Octo allows bad actors to remotely access your Android phone, in what is known as On-Device Fraud (ODF). ODF is extremely dangerous, because the activity does not occur anywhere else in the world, but from the device that your accounts and networks expect.
How does Octo work?
Octo takes over the MediaProjection function of Android in order to remotely stream the activity of your smartphone. Although it’s not a perfect live stream (the video runs at around 1 frame per second), it’s very quick for hackers to see what they’re doing on your device. However, to do anything, they will then use Octo to support AccessibilityService.
However, you won’t see any of this happening, as Octo uses a black overlay on your screen, in addition to disabling any notifications you might receive: From your perspective, your phone appears to be off, but to hackers, it’s open season on your android device.
From there, hackers can perform an assortment of remote tasks on your device, including taps, gestures, text input, text pasting, long clicks, and scrolling, among other commands. On top of that, a hacker doesn’t even have to do these things himself: he can just “tell” the malware what he wants it to do, and the malware will perform the tasks automatically. So you can imagine that the potential scale of fraud is greatly expanded, as there is no need for a human to sit down and go through the steps one by one.
Octo can do a lot once it’s on your device. It can act as a keylogger, reporting every action you take on your device, including your lock pattern or PIN, URLs you visit, and every tap you make on your screen. Additionally, it can scrape your contact lists, intercept your text messages, and record and monitor your phone calls. The Octo author even made discovery more difficult by writing his own code to hide the identity of the malware.
How does Octo install on your Android phone?
Like many malware infections, compromised apps are a major installation vector. According to ThreatFabric, the “Fast Cleaner” app was found to contain Octo alongside other types of malware, and was downloaded over 50,000 times before Google removed it from the Play Store. The app primarily targeted users in European banks and installed Octo by convincing users to install a “browser update”. Other affected apps include a screen recorder called “Pocket Screencaster”, as well as a suite of fake banking apps designed to trick real bank users into downloading them.
The secret to avoiding Octo, then, is to use excellent cybersecurity practices on your Android device at all times. Never download an app from the Play Store without checking it carefully first. While Google’s rejection system is certainly better than it used to be, compromised apps succeed all the time.
Then be extremely Beware of apps that ask you to download a separate app or install an update from their link, not the Play Store. Legit apps want you to use their app, not follow some sketchy link to download another app. Likewise, your apps will receive updates from the Play Store, not the app’s proprietary update site. These methods are classic malware installation tactics, and you can avoid them simply by thinking about the actions you perform on Android.
If you are worried that you have installed malware, you can use a trusted service like MalwareBytes to scan your device for malware. If you need to go nuclear, a factory reset can wipe out any malware and install a fresh version of Android on your phone. As long as you are aware of the apps and links you interact with on your devices, you should be well on your way to avoiding Octo and other similar malware.