Cybersecurity experts have uncovered a new version of the notorious Android banking trojan, Octo, now enhanced with advanced capabilities for device takeover and fraudulent transactions.
The updated malware, dubbed Octo2 by its creator, has been found in ongoing campaigns across European countries such as Italy, Poland, Moldova, and Hungary, as revealed by a recent report.
The new version includes key improvements in its remote device takeover functionality, designed to give attackers greater control over infected devices. Reports highlight that several apps infected with Octo2 have been identified, masquerading as legitimate services under various names, including fake versions of popular apps like Google Chrome and NordVPN.
First identified in 2022, Octo is considered a descendant of the Exobot malware, which surfaced in 2016. Exobot, a banking Trojan targeting financial institutions in various countries, was eventually transformed into a more streamlined version, called ExobotCompact. Octo2’s rise is largely attributed to the public leak of the Octo source code, allowing multiple threat actors to create variants of the malware.
Octo2 has also shifted to a malware-as-a-service (MaaS) model, enabling its developer to offer the trojan to cybercriminals seeking to execute information theft operations. Early adopters of Octo1 can now upgrade to Octo2 at no extra cost, paving the way for the malware to proliferate more broadly on a global scale.
One of the most notable enhancements in Octo2 is the introduction of a Domain Generation Algorithm (DGA), which helps cybercriminals quickly switch command-and-control (C2) servers, making it more difficult for security teams to block or disrupt the malware’s operations. This upgrade significantly increases the trojan’s resilience against domain blacklists and takedown attempts.
The malware’s distribution relies on a known APK binding service called Zombinder, which allows legitimate apps to be trojanized by embedding the malicious code within an innocuous-looking plugin. Despite its reach, there is no evidence suggesting Octo2 is distributed via the Google Play Store. Instead, users are likely downloading it from third-party sources or being deceived through social engineering tactics.
With the source code for the original Octo malware already publicly available, the creation of Octo2 marks a significant evolution in the malware’s ability to remotely access devices, commit fraud, and intercept sensitive data. Its adaptability by different cybercriminals adds to the growing threat posed to mobile banking users worldwide.
To protect against threats like Octo2, mobile users should avoid downloading apps from unverified sources and remain vigilant when prompted to install unknown plugins or updates. Always ensure devices are equipped with reliable antivirus software, and check for the latest security updates. Implementing two-factor authentication (2FA) on banking apps and accounts can provide an additional layer of protection.