New financial Trojan Octo can remotely control Android devices

New financial Trojan Octo can remotely control Android devices

New financial Trojan Octo can remotely control Android devices

Octo has the ability to remotely control Android devices, and can obtain all the content displayed on the screen of the victim device.

Hackers mainly launch attacks through fake program update messages and Android programs that contain Octo.

ThreatFabric found that Octo used Google Play or a phishing message to get into the victim’s phone. It was embedded in a number of applications, or sent an update link pretending to be Chrome, a financial program, or a messenger; once it successfully entered the victim’s device, it could Intercept text messages or notifications, access the address book on the device, and record calls; Octo also has overlay attack (Overlay Attack) and keyboard transcript capabilities. (Image source / ThreatFabric)

Dutch mobile security firm ThreatFabric revealed a new financial Trojan, Octo , last week, stating that it has the ability to remotely control Android devices, access all the content displayed on the screen of a victim device, and has been exploited by at least five hacker groups. use.

ThreatFabric believes that Octo should be the descendant of the Exobot financial Trojan family. The version is ExobotCompact.D, which first appeared in November last year.

In order to eliminate buyers’ doubts that the source code of Exobot has been leaked, the author will add ExobotCompact.D in January this year. Renamed Octo and leased through hacker forums.

Compared with the previous version, Octo has the remote access capability. It uses the MediaProjection function of the Android platform to perform screen streaming, and then uses another AccessibilityService function to perform tasks remotely.

The former can transmit the victim device once per second. The screenshots above allow the hacker to closely observe the status of the victim device, which means that the hacker can control the password management program, cryptocurrency wallet program, banking program, two-factor authentication program and game login on the device, etc. easily and conveniently. Can perform device fraud.

Octo uses Google Play or a phishing SMS to get into the victim’s phone, it’s embedded in many apps, or it sends an update link pretending to be Chrome, a financial app, or a messenger; once it gets on the victim’s device, it can intercept the SMS Or notification, get the address book on the device, and record calls; Octo also has overlay attack (Overlay Attack) and keyboard skimming capabilities, can control programs with input fields, and obtain one-time passwords that appear on the screen; It can evade detection by antivirus software and avoid being removed by users.

The researchers found that at least 5 hacker groups, including the Octo author, have used the Octo botnet to launch attacks. One of them created a Fast Cleaner program with Octo, and it has been listed on Google Play, with more than 50,000 users. The program, installed on Android devices, targeted financial institution clients in Spain, Belgium, Portugal and Italy.

Image source / ThreatFabric

There are not many Octo malwares that have successfully landed on Google Play. According to ThreatFabric’s observation, after renting the Octo service, most of these hackers use phishing messages to lure users to third-party websites to download malicious programs. These malicious programs may disguise as Google Updates to Play, Chrome, various financial programs, or various messengers.

In conclusion, although malware may also successfully sneak into Google Play, the proportion is not high after all, and Android users must pay special attention to those update links from SMS.