Cybersecurity researchers have identified a new version of the Android banking trojan Octo, now named Octo2, with improved capabilities for device takeover (DTO) and fraudulent transactions. The discovery was made by Dutch security firm ThreatFabric, which shared the findings with The Hacker News. Campaigns distributing Octo2 have been detected in European countries, including Italy, Poland, Moldova, and Hungary.
"The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," ThreatFabric noted in their report.
Several malicious apps containing Octo2 have been identified, such as:
Octo was initially flagged by ThreatFabric in early 2022, attributed to a threat actor known as "Architect" or "goodluck." It is considered a direct descendant of the Exobot malware, first detected in 2016, which also led to another variant called Coper in 2021.
Exobot, based on the source code of the banking trojan Marcher, was actively maintained until 2018. It targeted financial institutions through various campaigns in countries such as Turkey, France, Germany, Australia, Thailand, and Japan. A "lite" version, named ExobotCompact, was later introduced by a threat actor known as 'android' on dark-web forums.
The emergence of Octo2 appears to be driven primarily by the leak of the Octo source code earlier this year, leading other threat actors to create multiple variants of the malware.
Another significant development is Octo's transition to a malware-as-a-service (MaaS) model, according to Team Cymru. This shift allows the developer to monetize Octo2 by offering it to cybercriminals looking to carry out information theft operations.
“When promoting the update, the owner of Octo announced that Octo2 will be available for users of Octo1 at the same price with early access,” ThreatFabric revealed. “We can expect that the actors operating Octo1 will switch to Octo2, expanding its impact on the global threat landscape.”
One of the notable improvements in Octo2 is the implementation of a Domain Generation Algorithm (DGA) for generating command-and-control (C2) server names. This makes it easier for the threat actors to switch to new C2 servers, thus rendering domain name blocklists ineffective and improving the malware’s resilience against takedown efforts.
The malicious Android apps distributing Octo2 have been created using a known APK binding service called Zombinder. This service enables the trojanization of legitimate applications, tricking users into downloading the actual malware (Octo2) disguised as a "necessary plugin."
Currently, there is no evidence to suggest that Octo2 is being propagated via the Google Play Store, indicating that users are likely downloading these malicious apps from untrusted sources or being deceived into installing them through social engineering techniques.
"With the original Octo malware’s source code already leaked and easily accessible to various threat actors, Octo2 builds on this foundation with even more robust remote access capabilities and sophisticated obfuscation techniques,” ThreatFabric stated.
“This variant’s ability to invisibly perform on-device fraud and intercept sensitive data, coupled with the ease with which it can be customized by different threat actors, raises the stakes for mobile banking users globally.”
September 25, 2024
September 25, 2024
September 25, 2024
February 25, 2025
March 02, 2025
September 11, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
