New Android Banking Malware

Octo, a new Android banking malware that employs remote access capabilities to enable attackers to commit on-device fraud, has been identified in the wild and is designed to prey on vulnerable Android devices.

The Octo malware that strikes Android is a variation of ExoCompact, an Exo trojan-based malware that was used by cybercriminals before it quit the space in 2018 and generated a significant leak of its source code.

Several users were identified as looking to purchase this variant on darknet forums by ThreatFabric researchers, who observed several users buying it there.

It has been proven that ExobotCompact is directly associated with the malware strain recently discovered by experts. The threat is referred to as ExobotCompact.B on ThreatFabric’s MTI Portal, while it was first identified as a worm.

In November 2021, following a few iterations of updates in the ExobotCompact system, the ExobotCompact.D variant was introduced, and it’s the latest loop of the ExobotCompact.

Capabilities of Octo Malware

In comparison to ExoCompact, Octo comes with a lot of advanced features. By controlling the compromised Android device remotely, the threat actors can execute on-device fraud (ODF) using the remote access module of Octo.

Here below we have mentioned all the capabilities of Octo:-

  • Manipulating other apps.
  • Compromise password management apps.
  • Compromise crypto wallet apps.
  • Compromise banking apps.
  • Compromise 2FA apps.
  • Compromise game logins.

As part of its attacks, Octo conceals the victim’s remote operations behind a black screen overlay, and during this session, the attacker performs the following two key things:-

  • Activates the no interruption mode.
  • Lowers the screen brightness to zero

Malware can perform various tasks without the victim being aware of them by making the device appear to be turned off, and here we have mentioned the tasks:-

  • Screen taps
  • Gestures
  • Text writing
  • Clipboard modification
  • Data pasting
  • Scrolling up
  • Scrolling down

Supported Commands

A large range of commands are supported by Octo, and here they are mentioned below:-

  • From specified apps, it blocks push notifications.
  • Enable SMS interception.
  • Disable sound.
  • Disable temporarily to lock the device’s screen.
  • Launch a specified app.
  • Start remote access session.
  • Stop remote access session.
  • Update list of C2s.
  • Open appointed URLs.
  • Send SMS with appointed text to a select number.

Campaigns & Actors

An alias ‘Architect’ or ‘good luck’ is used by a threat actor to sell Octo on popular forums, such as the Russian-language XSS hacking forum. There has been a distinct difference between the posts between Octo and potential subscribers that are written in English. When compared with XSS, where most posts are written in Russian.

While it’s believed that the ‘Architect’ of Octo is either the same author who has maintained the ExoCompact source code or it has been acquired by a new owner.

As the cybersecurity analysts at ThreatFabric have claimed that there are several similarities between Octo and ExoCompact like:-

  • Google Play publication success
  • Google Protect disabling function
  • The reverse engineering protection system

The ExoCompact also includes a remote access module, although a simpler one, and provides options for executing commands at a delayed time and provides similar administrative options as Octo does.

Recently, an app named “Fast Cleaner” infected devices with Octo on Google Play. The app had 50,000 installs before it was discovered and removed in February 2022.

Infected Apps

Here we have mentioned the list of known Android apps containing the Octo malware:-

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (
  • Play Store (com.restthe71)
  • Postbank Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Security (com.frontwonder2), and
  • Play Store app install (com.theseeye5)

All information viewed on a device’s screen becomes accessible to malware variants once it has been infected, which means that no information is safe, and any protective measures are ineffective.

In such a case, it is extremely important that users remain aware and make sure to keep a limited number of apps on their smartphones by enabling the Play Protect.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.