What is Octo2 Malware and How does it spread?

Introduction:-

Octo2 malware: In recent times, security researchers have observed that a new variant of “Octo” an android banking trojan has surfed again but this time it has emerged with an upgraded name i.e. Octo2 and so are its capabilities, notorious group of hackers from all around the globe are exploiting this bug to perform Device Takeover. and it’s just not about device takeover but it’s still breaking down the security of online banking infrastructure, it is being used to target mobile banking users around the globe.

Whom is it affecting?

As mentioned above the bug named Octo was previously recognized as android banking trojan and use to attack android user indulged in mobile banking, posing threat to both customers and users. and some sources have mentioned some group of “European banks” are already in attack of this Octo2 malware:
Informations from various sources over the internet have alerted about the availability of this malware in some malicious application mentioned below:
- Europe Enterprise (com.xsusb_restore3)
- Google Chrome (com.havirtual06numberresources)
- NordVPN (com.handedfastee5)

Understanding about Octo2: –

The Octo group of malware, also known as Octo2, is a cyber threat often associated with sophisticated attacks targeting financial institutions and individuals. Here are five key points about it:

Origins: Octo is considered an evolved variant of older mobile malware like Exobot, which initially appeared in 2016. Over time, it incorporated advanced techniques to evade detection.
Functionality: Octo specializes in remote access attacks (RAT), allowing attackers to control victims’ devices remotely without their knowledge, bypassing security measures like two-factor authentication.
Targeting: Primarily focused on Android devices, Octo typically targets banking apps and services, enabling fraud and unauthorized transactions through manipulation of user sessions.
Distribution: The malware is often distributed through malicious apps, phishing campaigns, or app stores, disguised as legitimate services.
Evasion: Its developers have continuously enhanced the malware with obfuscation techniques and anti-analysis features, making it harder for security tools to detect or remove.

Octo demonstrates how mobile malware can evolve over time, becoming more dangerous and elusive.

A new variant (named Octo2) of Octo, currently the most widespread malware family, has been released by the original threat actor
The malware developers took action to increase the stability of the remote action capabilities needed for Device Takeover attacks
New Octo2 campaigns have been spotted in European countries
Octo2 contains sophisticated obfuscation techniques to ensure the Trojan stays undetected, including the introduction of Domain Generation Algorithm (DGA)

How did it came into limelight?

The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware. The emergence of this Octo2 variant represents a significant evolution in mobile malware, particularly in the context of banking security,” ThreatFabric said, commenting on the malware’s new features.

Based on the source code of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a variety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan,” ThreatFabric noted at the time

Since 2022, our Mobile Threat Intelligence team has observed increasing activity from Octo and its operators. More campaigns have been spotted in the wild, and more actors have gained access to this malware family, attracted by its extensive capabilities, including continuously updated remote access features.

In 2024, several notable events affected the mobile threat landscape, some related to Octo. First, the source code of Octo was leaked, resulting in multiple forks launched by other threat actors. The leak of the source codes was likely one of the main reasons behind the second notable event in the story of Octo: a new version, Octo2, was released by the original threat actor.

How does it spread?

Octo’s transition to a malware-as-a-service (MaaS) operation, per Team Cymru, enabling the developer to monetize the malware by offering it to cybercriminals who are looking to carry out information theft operations. “When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access,” ThreatFabric said. “We can expect that the actors that were operating Octo1 will switch to Octo2, thus bringing it to the global threat landscape.”

The rogue Android apps distributing the malware are created using a known APK binding service called Zombinder, which makes it possible to trojanize legitimate applications such that they retrieve the actual malware (in this case, Octo2) under the guise of installing a “necessary plugin.”

In the Octo2 campaigns that were spotted by ThreatFabric, we observed Zombinder serving as the first stage of the installation: upon launch, Zombinder will request the installation of an additional “plugin” which is, in fact, Octo2, thus successfully bypassing Android 13+ restrictions.

Zombinder making the victim into allowing the installation of Octo2

Key Features: –

increasing the stability of remote-control sessions
Device Takeovers, (DTO)
anti-detection and anti-analysis techniques
Communication with C2 and Domain Generation Algorithm (DGA)

Indicators of compromise

`Hash (SHA256)`	`app name`	`package name`
`83eea636c3f04ff1b46963680eb4bac7177e77bbc40b0d3426f5cf66a0c647ae`	`NordVPN`	`com.handedfastee5`
`6cd0fbfb088a95b239e42d139e27354abeb08c6788b6083962943522a870cb98`	`Europe Enterprise`	`com.xsusb_restore3`
`117aa133d19ea84a4de87128f16384ae0477f3ee9dd3e43037e102d7039c79d9`	`Google Chrome`	`com.havirtual06numberresources`

Thank you for reading🙂! If you’re interested in learning more about Bugs in android, check out this article on Ngate Bug in Android: key to credit card scam for more insights.