New banking Trojan Octo is spreading through fake apps on the Google Play Store

google play store

A number of malicious Android applications that have been installed over 50,000 times from the official Google Play Store are being used to attack banks and other financial institutions.

Nicknamed Lease Bank Trojan OctoIt is said to be a rebrand of another Android malware called ExobotCompact, which in turn is a “lightweight” replacement for its predecessor Exobot from Dutch mobile security company ThreatFabric. mentioned in a report published by The Hacker News.

It is also reported that Exobot paved the way for a separate descendant called Coper, which was originally discovered for Colombian users around July 2021, with new infections targeting Android users in various European countries.

“Coper malware applications are modular and include a multi-stage infection method and multiple defensive tactics to survive removal attempts,” cybersecurity firm Cyble said in a statement. this was noted in last month’s malware analysis.

computer security

Like other banking trojans for Android, fraudulent applications are nothing more than droppers, the main function of which is to deploy a malicious payload embedded in them. The list of Octo and Coper droppers used by several attackers is given below:

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (
  • Play Store (com.restthe71)
  • Postal Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Security (com.frontwonder2) and
  • Installing the Play Store App (com.theseeye5)

These apps, which pose as Play Store app installer, screen recorders, and financial apps, are “powered by ingenious delivery systems” by distributing them through the Google Play Store and through fraudulent landing pages that purportedly warn users to download a browser update.

google play store

Droppers, once installed, act as a conduit for launching Trojans, but not before asking users to turn on accessibility services, which provide a wide range of options for extracting sensitive information from jailbroken phones.

Octo, a redesigned version of ExobotCompact, is also equipped for device fraud by gaining remote control of devices using access permissions as well as Android. MediaProjection API for capturing screen content in real time.

The end goal, according to ThreatFabric, is to initiate “the automatic initiation and authorization of fraudulent transactions without manual effort on the part of the operator, allowing fraud on a much larger scale.”

Other notable Octo features include logging keystrokes, performing overlay attacks on banking applications to capture credentials, collecting contact information, and safeguards to prevent removal and bypass anti-virus engines.

computer security

“The Octo rebrand erases previous links to the Exobot source code leak, attracting many attackers looking to rent a supposedly new and original Trojan,” ThreatFabric noted.

“Its capabilities endanger not only explicitly targeted applications that are targeted by an overlay attack, but also any application installed on an infected device, since ExobotCompact/Octo can read the contents of any application displayed on the device screen and provide the attacker with enough information. information to remotely interact with it and perform on-device fraud (ODF).”

The findings are closely related to the discovery of a separate Android banking bot called Godfather, which overlaps with the Cereberus and Medusa banking trojans, which was seen to target banking users in Europe under the guise of a Settings app, failing to transfer funds and steal text messages. among other things.

In addition, a new analysis published by AppCensus found 11 apps with over 46 million installs that were implemented using a third-party SDK called Coelib that collected clipboard content, GPS data, email addresses, phone numbers, and even MAC addresses. . user modem router and network SSID.

Leave a Comment

Your email address will not be published.