Beware, this new Android banking malware could hijack your phone

(Image credit: Future)

A popular mobile banking trojan has been upgraded and rebranded for sale on dark web forums, cybersecurity researchers have discovered.

Experts from ThreatFabric recently identified the highly dangerous Android malware strain, known as Octo, which allows the threat actor to operate the compromised endpoint from a remote location.

The attacker uses the Accessibility Service to conduct the remote actions, and a live stream module (using the Android MediaProjection) to view the display.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

ExoCompact is back 

By overlaying the screen with black, the attacker can trick the user into thinking the device is turned off. The malware can also set screen brightness to zero, and disable all notifications. 

Once the device is ready, the attacker can do all sorts of things, from writing text messages, modifying the clipboard, pasting data and more. It also works as a keylogger, allowing for the theft of passwords and credit card details.

After obtaining the sample, the researchers established that Octo is essentially an upgraded and evolved version of an old Android malware called ExoCompact.

ExoCompact is a trojan whose author reportedly quit in 2018, and had the source code for the trojan leaked online. However, the researchers now claim that it’s the same threat actor that now offers Octo - an individual known as “Architect” or “goodluck”.

They managed to trace the malware to seven apps found in the Play Store:

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (
  • Play Store (com.restthe71)
  • Postbank Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Security (com.frontwonder2)
  • Play Store app install (com.theseeye5)

All of the apps have now been removed from Google’s app repository, but at least 50,000 devices have been compromised.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.