Cybersecurity experts at ThreatFabric have uncovered a new version of the notorious Android banking trojan, Octo. Dubbed Octo2, this evolved malware strain is currently targeting European countries, disguising itself as popular applications such as NordVPN, Google Chrome, and Europe Enterprise.
Enhanced Features and Improved Resilience
Octo2 represents a significant upgrade from its predecessor, boasting improved resilience, advanced anti-analysis and anti-detection mechanisms, and the implementation of a Domain Generation Algorithm (DGA) for more robust communication with command and control servers. These enhancements make Octo2 a formidable threat in the current cybersecurity landscape.
Historical Context and Evolution
The original Octo trojan, active from 2019 to 2021, was based on the ExobotCompact malware, itself a “lightweight” version of the infamous Exobot. The source code leak of Exobot in 2018 set the stage for this lineage of banking trojans. Earlier this year, Octo’s source code also leaked, leading to numerous forks and potentially prompting its creator, known as Architect, to develop Octo2.
Current Threat Landscape and Distribution
At present, Octo2 campaigns are primarily focused on users in Italy, Poland, Moldova, and Hungary. However, given its Malware-as-a-Service (MaaS) model, security researchers anticipate its rapid spread to other regions. The malware is currently distributed through third-party app stores and other unofficial sources, masquerading as legitimate applications.
Infection Vector and Evasion Techniques
Octo2 utilizes the Zombinder service to inject malicious payloads into APK files, effectively bypassing security mechanisms in Android 13 and later versions. This sophisticated approach allows the trojan to evade detection and infect devices more easily.
Technical Advancements in Octo2
While Octo2 is not a complete rewrite, it introduces several notable improvements:
- A new “SHIT_QUALITY” setting for the remote access module, optimizing data transmission in poor network conditions
- Enhanced payload decryption using native code
- Dynamic loading of additional libraries during runtime to complicate analysis
- Implementation of DGA for improved resilience against server takedowns
As Octo2 continues to evolve and spread, users must remain vigilant and adhere to best security practices. Avoid downloading applications from unofficial sources, regularly update your devices, and use reputable mobile security solutions to protect against such sophisticated banking trojans. The cybersecurity community will need to stay alert and adaptive to counter this emerging threat effectively.
