Hackers may be able to use your device to commit fraud big props to this new trojan.
The evolution of malicious code packages over time is an interesting aspect of the malware life cycle. Threat actors are seizing something that works and improving or extending it. Exobot, a financial malware family that first appeared in 2016, went after consumers in numerous countries until it mutated into ExobotCompact, a remote access trojan (RAT) with multiple new subtypes, in 2018. Octo, a new RAT that evolved from Exabit but has even more deceitful characteristics, such as the ability to mask the trojan’s activity while turning your phone into a vehicle for fraud, was recently found by cybersecurity researchers.
According to Bleeping Computer, cybersecurity researchers at Threat Fabric discovered Octo after detecting queries for it on the dark web. Octo shares several features with ExobotCompact, including efforts to prevent reverse engineering and coding that makes it simple to hide inside an innocent-looking software on the Google Play Store — as well as the clever method of disabling Google Protect upon download, according to Threat Fabric. According to Threat Fabric, Octo’s on-device fraud (ODF) feature is what sets it unique. While ODF isn’t new to the malware world, it is the feature that sets Octo apart from the rest of the Exobot malware family.
Octo gets into the Accessibility service and sets up what amounts to a live stream from the hacked phone to the attacker’s command and control servers, which is updated every second. Then it uses a black screen and disables notifications to keep the innocent user in the dark about what it’s up to. So, while it appears that your device has been turned off, the malware is having a party and performs a variety of operations such as scrolling, tapping, texting, and cutting and pasting while the screen is blank. Octo also employs keylogging software to monitor everything the hacked user types into the smartphone (such as PINs, social security numbers, and OnlyFans messages), as well as the ability to block and intercept push notifications from specific apps.
Octo is a fitting name for a piece of malware with such frightening versatility. Threat Fabric uncovered an innocent-looking software on Google Play called “Fast Cleaner” that was actually a “dropper” for Octo in campaigns when attackers are already utilizing the malware. Droppers are ostensibly legitimate shells that contain malware payloads. They may even perform as advertised, but they are ultimately deadly pills. “Fast Cleaner” was a popular dropper, according to the cybersecurity site, because it was also used to deliver malware varieties including Alien and Xenomorph.
Malicious software is growing more clever with each new iteration, as both Bleeping Computer and Threat Fabric point out, adding capabilities like multi-factor authentication avoidance. It’s easy to feel utterly exposed in this situation. When it comes to securing yourself and your data, vigilance is essential. Keep up with the latest risks by keeping your device updated with the most recent security patches.