A popular mobile banking trojan has been upgraded and rebranded for sale on dark web forums, cybersecurity researchers have discovered.
Experts from ThreatFabric recently identified the highly dangerous Android malware strain, known as Octo, which allows the threat actor to operate the compromised endpoint from a remote location.
The attacker uses the Accessibility Service to conduct the remote actions, and a live stream module (using the Android MediaProjection) to view the display.
ExoCompact is back
By overlaying the screen with black, the attacker can trick the user into thinking the device is turned off. The malware can also set screen brightness to zero, and disable all notifications.
Once the device is ready, the attacker can do all sorts of things, from writing text messages, modifying the clipboard, pasting data and more. It also works as a keylogger, allowing for the theft of passwords and credit card details.
After obtaining the sample, the researchers established that Octo is essentially an upgraded and evolved version of an old Android malware called ExoCompact.
ExoCompact is a trojan whose author reportedly quit in 2018, and had the source code for the trojan leaked online. However, the researchers now claim that it’s the same threat actor that now offers Octo - an individual known as “Architect” or “goodluck”.
They managed to trace the malware to seven apps found in the Play Store:
- Pocket Screencaster (com.moh.screen)
- Fast Cleaner 2021 (vizeeva.fast.cleaner)
- Play Store (com.restthe71)
- Postbank Security (com.carbuildz)
- Pocket Screencaster (com.cutthousandjs)
- BAWAG PSK Security (com.frontwonder2)
- Play Store app install (com.theseeye5)
All of the apps have now been removed from Google’s app repository, but at least 50,000 devices have been compromised.
Via BleepingComputer