Security Experts:

Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

‘Octo’ Android Trojan Allows Cybercrooks to Conduct On-Device Fraud

Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.

Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.

Dubbed Octo, the botnet was first mentioned on dark web forums in January 2022, but an analysis of its code revealed a close connection with ExobotCompact, which is believed to be the successor of the Exobot Android trojan, which in turn was based on the source code of the Marcher trojan.

Exobot was used in numerous attacks on financial institutions in Australia, France, Germany, Japan, Thailand, and Turkey, and was maintained until 2018.

ExobotCompact emerged as a lite version of the trojan, with at least four variants observed to date, the most recent of which emerged in November 2021. The malware was even distributed via a dropper app published to Google Play – Fast Cleaner – where it gathered over 50,000 downloads.

ExobotCompact can load malicious payloads, features keylogging capabilities, and supports a variety of commands, based on which it can block notifications, target applications with overlay attacks, intercept SMS, lock the screen and disable sound, open URLs, launch applications, show push notifications, send text messages, and start remote access sessions.

[ READ: SharkBot Android Malware Continues Popping Up on Google Play ]

The Octo malware that emerged in January, Threat Fabric says, is an updated and rebranded version of ExobotCompact. Its most important new feature, they underline, is a remote access capability that allows operators to perform on-device fraud (ODF).

“ODF is the most dangerous, risky, and inconspicuous type of fraud, where transactions are initiated from the same device that the victim uses every day. In this case, anti-fraud engines are challenged to identify the fraudulent activity with a significantly smaller number of suspicious indicators compared to other types of fraud performed through different channels,” Threat Fabric notes.

Remote control over a device requires screen-streaming and a way to execute actions, and the malware uses built-in Android features for that, namely MediaProjection and AccessibilityService, which provide near real-time visibility into what is happening on the device’s screen.

To hide its malicious activities, the malware uses an option to display a black screen overlay and another to disable all notifications. At the same time, based on received commands, the malware can perform gestures and clicks, perform specific actions, set clipboard text, and paste clipboard content.

With the help of these commands, an operator can use Octo to initiate fraudulent transactions and authorize them automatically, Threat Fabric explains.

[ READ: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications ]

The Octo botnet is “owned” by a threat actor named Architect, who is likely the same person behind Exobot and the first version of ExobotCompact as well. However, the security researchers believe that there are at least five different threat actors using the botnet at the moment.

“Rebranding to Octo erases previous ties to the Exobot source code leak, inviting multiple threat actors looking for an opportunity to rent an allegedly new and original Trojan. Its capabilities put at risk not only explicitly targeted applications that are targeted by overlay attack, but any application installed on the infected device as ExobotCompact/Octo is able to read content of any app displayed on the screen and provide the actor with sufficient information to remotely interact with it and perform on-device fraud (ODF),” Threat Fabric concludes.

Related: Over 100 Million Android Users Installed ‘Dark Herring’ Scamware

Related: Tens of Thousands Download “AbstractEmu” Android Rooting Malware

Related: GriftHorse Android Trojan Infects Over 10 Million Devices Worldwide

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.