A popular mobile banking trojan has been upgraded and rebranded for sale on dark web forums, cybersecurity researchers have discovered.
Experts from ThreatFabric recently identified the highly dangerous Android malware strain, known as Octo, which allows the threat actor to operate the compromised endpoint (opens in new tab) from a remote location.
The attacker uses the Accessibility Service to conduct the remote actions, and a live stream module (using the Android MediaProjection) to view the display.
ExoCompact is back
By overlaying the screen with black, the attacker can trick the user into thinking the device is turned off. The malware can also set screen brightness to zero, and disable all notifications.
Once the device is ready, the attacker can do all sorts of things, from writing text messages, modifying the clipboard, pasting data and more. It also works as a keylogger, allowing for the theft of passwords and credit card details.
After obtaining the sample, the researchers established that Octo is essentially an upgraded and evolved version of an old Android malware called ExoCompact.
> Hundreds of thousands of Android users infected by banking malware hosted on Play Store (opens in new tab)
> Anubis Android malware is back, and going after your banking apps (opens in new tab)
> This dangerous Android banking trojan is now available online for anyone to use (opens in new tab)
ExoCompact is a trojan whose author reportedly quit in 2018, and had the source code for the trojan leaked online. However, the researchers now claim that it’s the same threat actor that now offers Octo - an individual known as “Architect” or “goodluck”.
They managed to trace the malware to seven apps found in the Play Store:
- Pocket Screencaster (com.moh.screen)
- Fast Cleaner 2021 (vizeeva.fast.cleaner)
- Play Store (com.restthe71)
- Postbank Security (com.carbuildz)
- Pocket Screencaster (com.cutthousandjs)
- BAWAG PSK Security (com.frontwonder2)
- Play Store app install (com.theseeye5)
All of the apps have now been removed from Google’s app repository, but at least 50,000 devices have been compromised.
- Protect your devices from malware with the best firewalls right now (opens in new tab)
Via BleepingComputer (opens in new tab)