New Octo Banking Trojans Spread Through Fake Apps On Google Play Store

Google Play Store

A number of rogue Android apps that have been cumulatively installed from the official Google Play Store are being used more than 50,000 times to target banks and other financial entities.

Rent Banking Trojan, dubbed octoIt is said to be a rebranding of another Android malware called ExobotCompact, which in turn is a “lightweight” alternative to its predecessor Exobot, Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News.

It is also likely that Exobot paved the way for a separate descendant called Coper, which was initially discovered targeting Colombian users in July 2021, with new infections targeting Android users in various European countries.

Cybersecurity firm Cyble noted in a malware analysis last month that “Coper malware applications are modular in design and include a multi-stage infection method and several defensive tactics to survive removal attempts.”

cyber security

Like other Android banking Trojans, rogue apps are nothing more than trains, whose primary function is to spread the malicious payload embedded in them. Below is the list of Octo and Coper trains used by several threat actors –

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (
  • Play Store (com.restthe71)
  • Postbank Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK (com.frontwonder2) security and
  • Install the Play Store app (com.theseeye5)

These apps, which appear as Play Store app installers, screen recording and financial apps, are “powered by innovative distribution systems,” and distribute them through the Google Play Store and via fraudulent landing pages that allegedly alert users to download a browser update.

Google Play Store

The trains, once installed, act as a conduit for launching Trojans, but not before requiring users to enable accessibility services that give them a wide range of capabilities to extract sensitive information from vulnerable phones.

Octo, the revised version of ExobotCompact, is also equipped to perform device fraud through remote device control by taking advantage of access permissions as well as Android’s MediaProject API to capture screen contents in real time.

ThreatFabric said the ultimate goal is to trigger “the automatic initiation and authorization of fraudulent transactions without manual efforts from the operator, thus allowing fraud on a much larger scale.”

Other notable features of Octo include logging keystrokes, performing overlay attacks on banking apps to capture credentials, collecting contact information, and persistence measures to prevent uninstalls and evasion of antivirus engines.

cyber security

ThreatFabric noted that “the rebranding to Octo erases previous links with the Exobot source code leak, inviting several threat actors to look for an opportunity to hire a new and innovative Trojan horse.”

“Its capabilities compromise not only explicitly targeted applications targeted by overlay attacks, but any application installed on the infected device such as ExobotCompact / Octo capable of reading the content of any application displayed on the screen and providing the actor with enough information to interact with it remotely and perform device fraud (ODF). ).”

Those findings come close in the wake of the discovery of a distinctive Android bot called GodFather – interfering with the Cereberus and Medusa Banking Trojans – which has been observed targeting banking users in Europe under the guise of applying default settings for transferring money and stealing SMS messages, among other things.

Moreover, a new analysis published by AppCensus found 11 apps with more than 46 million installs implanted using a third-party SDK named Coelib, which made it possible to capture clipboard content, GPS data, email addresses, phone numbers, and even the MAC address of a user’s modem router. and network SSID.