Octo, a recently discovered Android banking trojan with remote access capabilities that allows cybercriminals to commit on-device fraud, has been observed in the wild.
Octo was discovered by ThreatFabric security experts, with a subsequent report showing that the trojan is being distributed via darknet market forums and that some malicious actors are interested in buying it.
The Octo Android malware, according to the report, evolved from ExoCompact, a malware variant based on the Exo trojan whose source code was made public in 2018.
Octo’s New “Skills”
Compared to ExoCompact, Octo adds an advanced remote access feature that enables cybercriminals to conduct on-device fraud (ODF) by controlling the affected Android device remotely.
Remote access is provided via the Accessibility Service and a live screen streaming module (updated every second) through Android’s MediaProjection.
As explained by BleepingComputer, the new banking trojan hides the target’s remote processes behind a black screen overlay, sets the screen brightness to zero, and deactivates all notifications by activating the “no interruption” mode.
Octo can carry out multiple tasks without the victim’s knowledge by making the device seem to be shut down. Examples of these tasks include:
screen taps gesticulations message writing clipboard modification data pasting scrolling