This new Android malware impersonates VPN and browser tools, but don't be fooled

malware
Image Credit: Flickr (Image credit: Shutterstock)

A new Android malware has been spotted spreading across Europe masquerading as popular software and apps.

Octo2, seemingly a successor to the wildly popular Octo trojan, was detected by cybersecurity researchers from ThreatFabric, who warned hackers have been spreading it under the guise of popular VPN software, browsers, and more. Victims would be tricked into visiting either fake websites, or risky third-party app repositories, where they would download NordVPN, Google Chrome, or an app called Europe Enterprise.

Obviously, these apps are not working as intended, and instead infect the device with Octo2, an advanced Android trojan that grants crooks remote access capabilities, screen recording with invisibility, keylogging, different self-protection techniques, on-device fraud, SMS and notification manipulation, and more.

Notable improvements

Compared to the original Octo, the second version comes with a few notable improvements, including better operational stability, more advanced anti-analysis and anti-detection mechanisms, and a domain generation algorithm (DGA) system that grants threat actors a more resilient C2 communication.

Since the malware is not found on Google Play, and is not distributed through the official Android repository, it is difficult to determine exactly how many devices are infected. ThreatFabric claims that the majority of the victims are located across Europe - in Italy, Poland, Moldova, and Hungary.

However, the original Octo was a malware-as-a-service (MaaS) platform, and its victims were found all over the world, including the US, Canada, Australia, and the Middle East. Therefore, it’s safe to assume it’s only a matter of time before Octo2 is spotted there, as well.

ThreatFabric believes Octo2 is the developer’s response to Octo’s source code leaking earlier this year. When it happened, many threat actors used the code to create unique versions of the malware, possibly hurting the developer’s sales. Therefore, Octo2 could be a way to bring them back. Allegedly, there is a special discount for Octo users, as well.

In a statement, Google told TechRadar Pro Google Play Protect automatically protects users from known versions of this malware.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS