Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud.
Dubbed Octo, the botnet was first mentioned on dark web forums in January 2022, but an analysis of its code revealed a close connection with ExobotCompact, which is believed to be the successor of the Exobot Android trojan, which in turn was based on the source code of the Marcher trojan.
Exobot was used in numerous attacks on financial institutions in Australia, France, Germany, Japan, Thailand, and Turkey, and was maintained until 2018.
ExobotCompact emerged as a lite version of the trojan, with at least four variants observed to date, the most recent of which emerged in November 2021. The malware was even distributed via a dropper app published to Google Play – Fast Cleaner – where it gathered over 50,000 downloads.
ExobotCompact can load malicious payloads, features keylogging capabilities, and supports a variety of commands, based on which it can block notifications, target applications with overlay attacks, intercept SMS, lock the screen and disable sound, open URLs, launch applications, show push notifications, send text messages, and start remote access sessions.
The Octo malware that emerged in January, Threat Fabric says, is an updated and rebranded version of ExobotCompact. Its most important new feature, they underline, is a remote access capability that allows operators to perform on-device fraud (ODF).
“ODF is the most dangerous, risky, and inconspicuous type of fraud, where transactions are initiated from the same device that the victim uses every day. In this case, anti-fraud engines are challenged to identify the fraudulent activity with a significantly smaller number of suspicious indicators compared to other types of fraud performed through different channels,” Threat Fabric notes.
Remote control over a device requires screen-streaming and a way to execute actions, and the malware uses built-in Android features for that, namely MediaProjection and AccessibilityService, which provide near real-time visibility into what is happening on the device’s screen.
To hide its malicious activities, the malware uses an option to display a black screen overlay and another to disable all notifications. At the same time, based on received commands, the malware can perform gestures and clicks, perform specific actions, set clipboard text, and paste clipboard content.
With the help of these commands, an operator can use Octo to initiate fraudulent transactions and authorize them automatically, Threat Fabric explains.
The Octo botnet is “owned” by a threat actor named Architect, who is likely the same person behind Exobot and the first version of ExobotCompact as well. However, the security researchers believe that there are at least five different threat actors using the botnet at the moment.
“Rebranding to Octo erases previous ties to the Exobot source code leak, inviting multiple threat actors looking for an opportunity to rent an allegedly new and original Trojan. Its capabilities put at risk not only explicitly targeted applications that are targeted by overlay attack, but any application installed on the infected device as ExobotCompact/Octo is able to read content of any app displayed on the screen and provide the actor with sufficient information to remotely interact with it and perform on-device fraud (ODF),” Threat Fabric concludes.