The Android Octo Trojan has now been described in more detail by ThreatFabric researchers. Octo is based on ExoCompact, a fairly well-known malware variant that has been known since 2018. Octo, on the other hand, is still new and the first campaigns in which the Trojan was used date back to this year. According to ThreatFabric, they caught the Trojan in the wild by performing various actions on its victims’ smartphones using a remote access feature.
Octo’s most significant innovation over its predecessors is precisely the Advanced Remote Access Module, which allows threat actors to perform so-called On-Device Fraud (ODF) by remotely controlling the compromised Android device.
Infographic: These are the most effective phishing subject lines
Remote access is enabled through a live screen casting module through Android’s MediaProjection and through remote actions through the Accessibility Service. Octo uses a black screen overlay to hide his actions from the victim’s view. The Trojan sets the screen brightness to zero and disables all notifications by enabling “No Interruption” mode. The victim has the impression that his smartphone is inactive, but in reality, many things can go unnoticed.
Keylogger with remote access
By making the device appear to be turned off, the malware can perform various tasks without the victim’s knowledge. These tasks include gestures, writing text, editing the clipboard, pasting data, scrolling up and down, and transferring data. In addition to the remote access system, Octo also has a powerful keylogger. Therefore, entered PINs and passwords are very vulnerable.
Octo supports a long list of commands, the most important of which are:
- Block push notifications from specific apps
- Activate SMS interception
- Mute sound and temporarily lock device screen
- Launch a specific application
- Start/end remote access session
- Open a specific URL
- Sending an SMS with a specific text to a specific phone number
“Given the facts, we conclude that ExobotCompact has been renamed the Android Octo banking Trojan and is praised by its owner ‘Architect’ aka ‘Goodluc’. ThreatFabric follows this variant as ExobotCompact.D,” concludes Threat Fabric in its report. .
The Trojan spreads via the Google Play Store. Among the recent apps known to have been infected with Octo is an app called Fast Cleaner. The app has since been removed from the store, but then had around 50,000 downloads. Trojans with remote access modules are increasingly common and take robust account protection measures such as: B. Two-factor codes are obsolete because the threat actor is in complete control of the connected device and accounts.