New Octo Banking Trojan Spreading via Fake Apps on Google Play Store

Various rogue Android apps which were cumulatively put in from the official Google Play Retailer greater than 50,000 instances are getting used to focus on banks and different monetary entities.

The rental banking trojan, dubbed Octo, is claimed to be a rebrand of one other Android malware known as ExobotCompact, which, in flip, is a “lite” alternative for its Exobot predecessor, Dutch cellular safety agency ThreatFabric said in a report shared with The Hacker Information.

Exobot can be doubtless stated to have paved the way in which for a separate descendant known as Coper, that was initially discovered focusing on Colombian customers round July 2021, with newer infections focusing on Android customers in numerous European International locations.

“Coper malware apps are modular in design and embody a multi-stage an infection technique and lots of defensive ways to outlive elimination makes an attempt,” Cybersecurity firm Cyble noted in an evaluation of the malware final month.


Like different Android banking trojans, the rogue apps are nothing greater than droppers, whose major operate is to deploy the malicious payload embedded inside them. The record of Octo and Coper droppers utilized by a number of menace actors is beneath –

  • Pocket Screencaster (com.moh.display)
  • Quick Cleaner 2021 (vizeeva.quick.cleaner)
  • Play Retailer (com.restthe71)
  • Postbank Safety (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Safety (com.frontwonder2), and
  • Play Retailer app set up (com.theseeye5)

These apps, which pose as Play Retailer app installer, display recording, and monetary apps, are “powered by ingenious distribution schemes,” distributing them by means of the Google Play retailer and by way of fraudulent touchdown pages that purportedly alert customers to obtain a browser replace.

Google Play Store

The droppers, as soon as put in, act as a conduit to launch the trojans, however not earlier than requesting customers to allow the Accessibility Services that enable it a large breadth of capabilities to exfiltrate delicate data from the compromised telephones.

Octo, the revised model of ExobotCompact, can be geared up to carry out on-device fraud by gaining distant management over the gadgets by making the most of the accessibility permissions in addition to Android’s MediaProjection API to seize display contents in real-time.

The last word objective, ThreatFabric stated, is to set off the “computerized initiation of fraudulent transactions and its authorization with out handbook efforts from the operator, thus permitting fraud on a considerably bigger scale.”

Different notable options of Octo embody logging keystrokes, finishing up overlay assaults on banking apps to seize credentials, harvesting contact data, and persistence measures to forestall uninstallation and evade antivirus engines.


“Rebranding to Octo erases earlier ties to the Exobot supply code leak, inviting a number of menace actors in search of alternative to hire an allegedly new and authentic trojan,” ThreatFabric famous.

“Its capabilities put in danger not solely explicitly focused functions which can be focused by overlay assault, however any software put in on the contaminated system as ExobotCompact/Octo is ready to learn content material of any app displayed on the display and supply the actor with ample data to remotely work together with it and carry out on-device fraud (ODF).”

The findings come shut on the heels of the invention of a definite Android bankbot named GodFather — sharing overlaps with the Cereberus and Medusa banking trojans — that has been noticed focusing on banking customers in Europe below the guise of the default Settings app to switch funds and steal SMS messages, amongst others.

On prime of that, a new analysis printed by AppCensus discovered 11 apps with greater than 46 million installations that have been implanted with a third-party SDK named Coelib that made it potential to seize clipboard content material, GPS information, e-mail addresses, telephone numbers, and even the consumer’s modem router MAC tackle and community SSID.

Source link

New Octo Banking Trojan Spreading via Fake Apps on Google Play Store

Leave a Reply

Your email address will not be published.

Scroll to top