Threat Fabric security researchers have discovered an Android banking trojan that allows its operators to commit on-device fraud. The botnet, dubbed Octo, was initially referenced on dark web forums in January 2022. However, an investigation of its code indicated a tight relationship with ExobotCompact, which is thought to be the replacement for the Exobot Android trojan, which was based on the Marcher trojan’s source code.
Exobot was used in several cyberattacks on financial institutions in Australia, Germany, France, Thailand, Japan, and Turkey, and it was still active in 2018. ExobotCompact first appeared as a stripped-down form of the trojan, with at least four variations, the most recent of which was discovered in November 2021. The malware was also disseminated via a Google Play dropper software called Fast Cleaner, which received over 50,000 downloads.
ExobotCompact can load malicious payloads, has keylogging capabilities, and can block notifications, intercept SMS, target applications with overlay attacks, lock the screen and disable sound, open URLs, show push notifications, launch apps, send text messages, and start remote access sessions using a variety of commands. According to Threat Fabric, the Octo malware that appeared in January is a modified and renamed version of ExobotCompact. They emphasize that the most critical new feature is remote access, allowing operators to execute on-device fraud (ODF).
“ODF is the most dangerous, risky, and inconspicuous type of fraud, where transactions are initiated from the same device that the victim uses every day. In this case, anti-fraud engines are challenged to identify the fraudulent activity with a significantly smaller number of suspicious indicators compared to other types of fraud performed through different channels,” Threat Fabric notes.
Screen-streaming and a method to perform actions are required to remote control a device. The malware uses built-in Android technologies like MediaProjection and AccessibilityService, which allow near-real-time insight into what is happening on the device’s screen. The malware hides its nefarious actions by displaying a black screen overlay and disabling all alerts, among other things. At the same time, the malware may perform motions and clicks, conduct particular activities, set clipboard text, and paste clipboard material based on received commands.
According to Threat Fabric, an operator may employ Octo to conduct fraudulent transactions and authorize them automatically using these commands. The Octo botnet is “owned” by Architect, a threat actor who is most likely responsible for Exobot and the initial version of ExobotCompact. However, security analysts estimate that at least five separate threat actors are now using the botnet.