This new Trojan could allow hackers to use your device to commit fraud
One fascinating thing about the malware lifecycle is how packages of malicious code evolve over time. These are threat actors who grab something that works and then improve or expand it. One example is a breed of banking malware that first emerged in 2016 called Exobot. It preyed on users in multiple countries until 2018 when it morphed into ExobotCompact, a Remote Access Trojan (RAT) with several additional subtypes. And recently, cybersecurity researchers discovered Octo, a new RAT that basically evolved from Exobot but has even more deceptive features, like one that allows the Trojan to hide its activities even as it transforms your phone into a vehicle to commit fraud.
Thanks to Bleeping Computer, we know that cybersecurity researchers at Threat Fabric heard about Octo by seeing requests about it on the dark web. Threat Fabric discovered that Octo has a lot in common with ExobotCompact, including measures to prevent reverse-engineering of malware and coding that make it easy to hide in a seemingly innocent app on the Google Play Store, as well as the disabling trick. Google Protect when downloading. According to Threat Fabric, what sets Octo apart is the On-Device Fraud (ODF) functionality. While ODF isn’t new to the malware ecosphere, it’s the quirk that sets Octo apart from the rest of the Exobot family of malicious apps.
To run ODF, Octo sneaks through the Accessibility Service and sets up what amounts to a live stream to the attacker’s command and control servers that’s updated every second from the compromised phone. Then it uses a black screen and disables notifications to hide what it is doing from the innocent user. So basically it looks like your device has been turned off, but the malware is throwing a party while the screen is blank and performing a host of tasks like scrolling, tapping, texting, and cutting and pasting. Octo also uses keylogging software to track everything the hacked user types into the device (like PINs, social security numbers, OnlyFans messages), and is able to block push notifications by specific applications and to intercept or send texts.
Octo is therefore an apt name for such a versatile piece of malware. As for campaigns where attackers are already using the malware, Threat Fabric discovered an innocent-looking app on Google Play dubbed “Fast Cleaner” that was actually a “dropper” for Octo. Droppers are seemingly legitimate shells that contain malware payloads. They may even do what they advertise, but in the end they are poison pills. According to the cybersecurity site, “Fast Cleaner” was a favorite dropper, as it was also used to distribute malware flavors like Alien and Xenomorph.
As both Bleeping Computer and Threat Fabric point out, malware is getting more devious with each new development, adding features like multi-factor authentication evasion. It’s easy to feel completely exposed. Vigilance is key when it comes to protecting yourself and your data. Stay informed of the latest threats and keep your device up to date with the latest security patches.
Dead Cells brings The Queen and the Sea DLC to Android for $4
About the Author