Octo2 Android Malware Attacking To Steal Banking Credentials


The mobile threat landscape has become increasingly dangerous, primarily following a significant rise in cyberattacks, which surged by 350% in 2023 due to the shift towards remote work. 

Mobile devices are now prime targets for various threats, including mobile phishing, malware, and malicious apps that exploit vulnerabilities across major platforms like “iOS” and “Android.”

EHA

Cybersecurity researchers at Threat Fabric recently discovered Octo2 Android malware that has been attacking users to steal banking credentials.

Android Malware Attacking Banking Users

With the emergence of a new variant of the Octo (formerly “ExobotCompact”) malware family which is dubbed “Octo2,” the cybersecurity landscape has evolved.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

This is a banking trojan that primarily originates from the ‘Exobot’ lineage and it was first seen in 2016, since then it has evolved significantly. 

Octo2 Android Malware Attacking To Steal Banking Credentials
From Exobot to Octo2 (Source – Threat Fabric)

While this malware “Octo2” significantly enhances the remote action abilities that are crucial for “Device Takeover” attacks and employs advanced “obfuscation methods.” 

Initially, it was observed targeting Italy, Poland, Moldova, and Hungary. Besides this, the Octo2 malware disguises itself as popular apps like “Google Chrome” and “NordVPN.” 

Octo2 Android Malware Attacking To Steal Banking Credentials
Octo2 campaigns (Source – Threat Fabric)

According to Threat Fabric analysis, to evade the Android 13+ security restrictions, it makes use of “Zombinder,” which is used as a first-stage loader by the malware. 

The malware intercepts the ‘Push Notifications’ from the targeted applications, which depict its focus primarily on banking and financial services.

The Octo2 offers several sophisticated features, such as ‘overlay attacks’ for credential theft and ‘control over calls, SMS, and notifications.’ 

Given its Malware-as-a-Service model and the recent source code leak of its predecessor, security experts anticipate Octo2’s rapid global spread, which would pose a significant threat to mobile banking users worldwide.

Octo2 – New Features And Enhancements

Here below, we have mentioned all the new features and enhancements offered by Octo2:-

  • Increased RAT stability
  • Improved anti-analysis and anti-detection techniques
  • Communication with C2 and Domain Generation Algorithm (DGA)

The new variant, Octo2 is built upon its predecessor, “Octo,” whose source code was leaked, enabling the Octo2 to enhance its capabilities. 

Apart from the ‘Device Takeover attacks,’ it also employs sophisticated remote control sessions that are more ‘stable’ and ‘complicated to detect.’ 

Not only that even this new variant also incorporates enhanced anti-detection and anti-analysis techniques. 

The malware’s primary focus is targeting mobile banking applications, performing “on-device fraud” without any detection, and stealing sensitive data. 

For easy customization, it has a modular nature, which enables the threat actors to customize it according to their needs and requirements. This evolution in mobile malware highlights users’ and financial institutions’ need for strict vigilance.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free



Source link