Octo2 Android Banking Trojan

Related Families: Exobot, ExobotCompact, Octo
Verticals Targeted: Financial

Executive Summary

Octo2, an updated version of Octo Android banking trojan, was recently observed targeting Android users in Europe.

Key Takeaways

• Octo2, an updated version of Octo Android banking trojan, was recently observed targeting Android users in Europe.
• Octo2 features several improvements over the previous Octo variant, including increased stability of remote control sessions and RAT functionality, more sophisticated anti-analysis and anti-detection methods, and use of a domain generation algorithm (DGA) to dynamically generate the C2 server name. 
• So far, Octo2 has only been observed targeting Android users in Europe, more specifically Italy, Poland, Moldova, and Hungary. 
• Octo2 infections are expected to become more widespread and have a global reach, as threat actors currently leveraging Octo transition to adopting Octo2. 

What is Octo2?

Octo, also known as ExobotCompact, is a well known Android banking trojan. It is currently one of the most widespread Android banking trojans. Octo2, an updated version of Octo, was recently observed targeting Android users in Europe. Octo2 is considered to be an emerging and evolving threat. Threat Fabric reported on Octo2. 

Exobot, a precursor to Octo, was first observed in 2016. In its original form, it was a banking trojan capable of overlay attacks and taking over calls, SMS, and push notifications. Multiple Exobot variants, including the more streamlined ExobotCompact, were released between 2016 and 2021. In 2022, Octo was first mentioned on forums and was found to be a descendent of Exobot. A threat actor known as Architect originally posted about Octo on underground forums and claimed to be the owner of this malware, which operates as malware-as-a-service (MaaS). Earlier this year, the source code of Octo was leaked, and several forks of the malware were created by multiple threat actor groups. Following this wave of Octo clones, the original threat actor, Architect, released the updated Octo2. 

Octo2 features several improvements over the previous Octo variant. Upgrades include increased stability of remote control sessions and RAT functionality, more sophisticated anti-analysis and anti-detection methods, and use of a domain generation algorithm (DGA) to dynamically generate the C2 server name. Octo2 masquerades as legitimate apps, including Google Chrome and NordVPN, to distribute the malware. Researchers at Threat Fabric observed Zombinder being used for the first stage of installation. When it is launched, Zombinder requests installation of an additional plugin, which is Octo2. This allows the malware to bypass Android 13+ restrictions.

An Emerging and Evolving Threat

Octo2 is both an emerging and an evolving threat. Threat Fabric noted that the discovery of Octo2 points toward a shift in the threat landscape, with the updated features making Octo2 more stealthy and more efficient than its predecessor. Additionally, the improvements to remote control stability give threat actors a more robust on-device fraud (ODF) capability.

At present, Octo2 has only been observed targeting Android users in Europe, more specifically Italy, Poland, Moldova, and Hungary. However, prevalence of the malware is expected to increase as threat actors currently leveraging Octo transition to adopting Octo2. Victimology could expand to include the countries current Octo “customers” have targeted, such as those in Europe, USA, Canada, the Middle East, Singapore, and Australia. 

IOCs

PolySwarm has a sample of Octo2.

83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae

You can use the following CLI command to search for all Octo2 samples in our portal:

$ polyswarm link list -f Octo2

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.