The evolution of malicious code packages over time is an intriguing aspect of the malware life cycle. It’s a case of threat actors seizing something that works and then improving or expanding on it.
Exobot, a type of banking malware that first appeared in 2016, went after users in several countries until 2018, when it morphed into ExobotCompact, a remote access trojan (RAT) with a few other subtypes.
What is Octo malware?
Photo credit: iStock
Octo, a new RAT that evolved from Exobot but has even more deceptive features, such as the ability to hide the trojan’s activities while turning your phone into a vehicle for fraud, was recently discovered by cybersecurity researchers.
Octo was discovered by Threat Fabric researchers after they saw requests for it on the dark web. Octo shares many features with ExobotCompact, including measures to prevent reverse engineering and coding that makes it easy to conceal inside an innocent-looking app on the Google Play Store — as well as the clever trick of disabling Google Protect upon download, according to Threat Fabric.
According to Threat Fabric, Octo’s on-device fraud (ODF) functionality is what sets it apart. While ODF isn’t new to the malware world, it is the feature that sets Octo apart from the rest of the Exobot malware family.
How does it work?
Octo sneaks into the Accessibility service and sets up what amounts to a live stream from the compromised phone to the attacker’s command and control servers, which is updated every second.
Then it uses a black screen and disables notifications to keep the innocent user in the dark about what it’s up to.
While it appears that your device has been turned off, the malware is having a party and performing a variety of tasks such as scrolling, tapping, texts, and cutting and pasting while the screen is blank.
Octo also utilizes keylogging software to monitor everything the hacked user types into the device (such as PINs, social security numbers, and OnlyFans messages), as well as the ability to block push notifications from specific apps and intercept or send text messages.
Octo’s tentacles are scarily versatile
Photo credit: iStock
Octo is a fitting name for a piece of malware with such frightening versatility. Threat Fabric discovered an innocent-looking app on Google Play called “Fast Cleaner” that was actually a “dropper” for Octo in campaigns where attackers are already using the malware.
Droppers are ostensibly legitimate shells that contain malware payloads. They may even perform as advertised, but they are ultimately poison pills.
“Fast Cleaner” was a popular dropper, according to the cybersecurity site, because it was also used to distribute malware flavors like Alien and Xenomorph.
Malicious software is becoming more cunning with each new evolution, as both Bleeping Computer and Threat Fabric point out, adding features like multi-factor authentication evasion.
It’s easy to feel completely exposed in this situation. When it comes to protecting yourself and your data, vigilance is vital.
Keep up with the latest threats by keeping your device updated with the most recent security patches.
Leave a Reply