ThreatFabric specialists have discovered a new version of Octo banking malware for Android devices, which is an evolved EXOcompact malware based on the Exo Trojan, which disappeared from the cybercrime scene in 2018.
Unlike EXOcompact, Octo malware is equipped with a remote access module that allows attackers to remotely control the victim’s device and perform fraudulent actions.
Remote access is provided via a real-time screen streaming module (updated every two seconds) via Android MediaProjection and remote actions via Accessibility Service.
With the help of a black screen, Octo hides its remote operations from the victim – the malware reduces the brightness of the screen to zero and disables notifications using the “Do not Disturb” mode.
While the victim thinks that the device is disabled, in fact it performs various actions, including reproducing touches to the screen and gestures to control, typing text, modifying the clipboard, inserting data and scrolling pages up and down.
In addition to remote access, Octo is also equipped with a powerful keylogger that monitors and records all the actions of the victim on an infected Android device, including entering PIN codes, opening websites, clicking on items, etc. In addition, the malware executes the following commands: blocking push notifications from certain applications, intercepting SMS messages, mute and temporarily lock the device screen, launching certain applications, starting/stopping a remote access session, updating the list of C&C servers, opening certain URLs and sending SMS messages to the specified phone numbers.
Currently, Octo is being sold on hacker forums like the Russian-language XSS by a cybercriminal under the pseudonym Architect and goodluck.