Phony Android Apps on Google Play Store Disseminate the New Octo Banking Trojan

Phony Android Apps on Google Play Store Disseminate the New Octo Banking Trojan

Banks and other financial institutions are being targeted by a slew of malicious Android apps that have been downloaded from the official Google Play Store more than 50,000 times.

According to a report shared in public by Dutch mobile security firm ThreatFabric, the Octo banking trojan is a rebrand of another Android malware called ExobotCompact, which in turn is a "lite" replacement for its Exobot predecessor.

Since Coper was first discovered in July 2021 targeting Colombian users, it is likely that Exobot paved the way for it. Coper has since been found infecting Android users across Europe.

According to a report from cybersecurity firm Cyble, "Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts."

Android banking Trojans are nothing more than droppers, and their primary function is to distribute the malicious payload they contain. Below is a list of Octo and Coper droppers that have been used by multiple threat actors.

    Pocket Screencaster (com.moh.screen)

    Fast Cleaner 2021 (

    Play Store (com.restthe71)

    Postbank Security (com.carbuildz)

    Pocket Screencaster (com.cutthousandjs)

    BAWAG PSK Security (com.frontwonder2), and

    Play Store app install (com.theseeye5)

Using "inventive distribution schemes," these apps distribute themselves through the Google Play store and fraudulent landing pages that claim to alert users to the need to download a browser update. They also pose as Play Store app installers, screen recorders, and financial management tools.

Phony Android Apps on Google Play Store Disseminate the New Octo Banking Trojan

In order to launch the trojans, the droppers first ask users to enable Accessibility Services, which gives it a wide range of capabilities to exfiltrate sensitive information from compromised phones.

Using Android's MediaProjection API and the accessibility permissions granted by Android, Octo, the updated version of ExobotCompact, can capture screen content in real-time and commit on-device fraud.

Security researchers at ThreatFabric have stated that their ultimate goal is to enable "automatic initiation of fraudulent transactions and its authorization without manual efforts from the operator, thus providing for fraud on a significantly larger scale."

Others include logging keystrokes, performing overlay attacks on banking apps, harvesting contact information, and preventing uninstallation and eluding antivirus engines.

According to ThreatFabric, the change in name to Octo "eliminates previous links to the Exobot source code leak, inviting multiple threat actors looking for an opportunity to rent an allegedly new and original trojan".

Because it can read the content of any app displayed on the screen and provide the actor with sufficient information to remotely interact with it and perform on-device fraud (ODF), ExobotCompact/capabilities Octo's put at risk not only explicitly targeted applications that are targeted by overlay attack.

Recently, an Android bank bot named GodFather was discovered that shares similarities with the Cerberus and Medusa banking trojans. GodFather was observed targeting European banks' customers to transfer funds and steal SMS messages while posing as the default Settings app.

More than that, a new AppCensus analysis discovered 11 apps with more than 46.2M installs that contained an SDK called Coelib, which enabled the capture of clipboard content, GPS data, email addresses, phone numbers, and even the modem router MAC address and network ID of the user's wireless modem router.


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post