Exobot is an Android banking malware that first came into the scene in 2016. The threat actor behind it maintained this malicious code until 2018, with reports of exploits coming in from various corners of the world. The author of this malware sold off the source code in 2018 but it was soon leaked publicly. Meanwhile, Exobot gave birth to a new RAT called ExobotCompact. The newly discovered Octo Android banking malware is an updated version of it, with several new features.

Octo can hide its on-device fraud activities

In an on-device fraud or ODF, the attacker gains remote access to a victim’s device and performs transactions or other activities without them knowing. Since all the fraud takes place on the device itself, ODF is the most dangerous and inconspicuous type of fraud, ThreatFabric notes. To execute remote actions, the attacker needs to stream the screen of the victim’s device. The Octo malware uses Android’s built-in services for this: MediaProjection for screen streaming (updated every second) and AccessibilityService to perform actions. This tricks the anti-fraud engines on the device into thinking that the owner is operating on the device rather than a malicious actor remotely. Once the attacker has control of your device, they use a black screen overlay to hide their remote actions from the victim. The screen brightness is set to zero and the “do not disturb” mode is enabled to turn off all notifications. The device will appear to be off to the victim while the attacker is remotely executing various actions. The malware can see the clipboard data, copy/cut and paste text, scroll and tap on the screen, and perform gestures. Octo’s keylogger also allows the attacker to capture everything that the victim types on the device. This may include any messages or confidential information such as PIN, password, and banking credentials. If some malicious actor has that information, you can guess the amount of damage you could suffer. The malware can also perform dozens of other actions remotely. It can block push notifications from specific apps, enable SMS interception, or send SMS to any phone number. Other capabilities include opening a specific website, starting/stopping remote access sessions, launching an app, disabling sound, and temporarily locking the device’s screen.

Several Android apps were using the Octo malware

According to the new report by ThreatFabric, the Octo Android banking malware was found in several Android apps. These include an app called “Fast Cleaner” with more than 50,000 installs from the Google Play Store. Following the discovery of the malware, Google removed the app from Play Store in February 2022. Other affected apps include Pocket Screencaster, Fast Cleaner 2021, Play Store, Postbank Security, Pocket Screencaster (different package name), BAWAG PSK Security, and Play Store app install. It’s scary to think that malware with so much power still exists. These RATs render all account protection steps such as two-factor authentication (2FA) obsolete. The attacker gains full control of the victim’s device and effectively, its logged-in accounts. As Bleeping Computer notes, “no information is safe, and no protection measure is effective” once the malware enters your device. Always make sure you only install trusted apps, and from trusted sources. Do not install unwanted apps and enable Play Protect to scan for harmful apps.