Octo2 Android Banking Trojan Masquerades as NordVPN and Google Chrome

By Riley ThompsonTechnology News

Octo2 Android Banking Trojan Disguises Itself as Popular Apps

Security experts at ThreatFabric have discovered a new version of the Octo banking trojan, now named Octo2. Currently, this Android malware is spreading only in European countries and disguises itself as legitimate apps such as NordVPN, Google Chrome, and Europe Enterprise.

Enhanced Stealth and Communication Features

The new variant of the malware boasts improved resilience, advanced anti-analysis and anti-detection mechanisms, and uses a domain generation algorithm (DGA) to maintain communication with its command and control servers.

The original Octo banking trojan was active from 2019 to 2021 and was based on ExobotCompact, itself a “lightweight” version of the well-known Exobot malware, whose source code was leaked to the public in 2018.

Capabilities and Recent Developments

In their analysis of the first Octo version, ThreatFabric experts noted that the malware allowed its operators broad access to victim data. Octo supported keylogging, device navigation, interception of SMS and push notifications, screen locking, muting the device, launching arbitrary apps, and using infected devices to send SMS messages.

This year, Octo’s source code leaked online, leading to the emergence of numerous “forks.” The malware’s creator, known as Architect, reportedly faced declining sales and responded by announcing Octo2, even offering a special discount to users of the first version.

Current Campaigns and Distribution

At present, Octo2 campaigns are targeting users in Italy, Poland, Moldova, and Hungary. However, since Octo2 operates under a Malware-as-a-Service (MaaS) model, researchers believe it may soon appear in other regions as well.

In European countries, attackers are disguising the updated banking trojan as NordVPN (com.handedfastee5), Google Chrome (com.havirtual06numberresources), and Europe Enterprise (com.xsusb_restore3) apps.

Technical Details and Evasion Techniques

Octo2 uses the Zombinder service to inject its malicious payload into APK files, allowing it to bypass security mechanisms in Android 13 and later versions.

According to ThreatFabric, Octo2 is more of an updated version of the original malware rather than a completely rewritten threat. For example, the developer has added a new SHIT_QUALITY setting for the remote access module, which minimizes data transmission and ensures a more stable connection in case of poor internet quality.

Octo2 now decrypts its payload using native code and complicates analysis by dynamically loading additional libraries during execution. As mentioned earlier, Octo2’s use of DGA allows operators to quickly update and switch to new command servers, increasing resistance to server takedown attempts.

Distribution Channels and Recommendations

So far, Octo2 has not been detected in the official Google Play Store. Its distribution appears to be limited to third-party app stores and other sources, which researchers strongly recommend avoiding.

Leave a Reply