A number of rogue Android apps that have been cumulatively installed from the official Google Play Store more than 50,000 times are being used to target banks and other financial entities.
The rental banking trojan, dubbed Octo, is said to be a rebrand of another Android malware called ExobotCompact, which, in turn, is a “lite” replacement for its Exobot predecessor, Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News.
Exobot is also likely said to have paved the way for a separate descendant called Coper, that was initially discovered targeting Colombian users around July 2021, with newer infections targeting Android users in different European Countries.
“Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts,” Cybersecurity company Cyble noted in an analysis of the malware last month.
Rogue apps, like other Android trojans are simply droppers whose main function is to install the malicious payload within the app. The list of Octo and Coper droppers used by multiple threat actors is below –
- Pocket Screencaster (com.moh.screen)
- Fast Cleaner 2021 (vizeeva.fast.cleaner)
- Play Store (com.restthe71)
- Postbank Security (com.carbuildz)
- Pocket Screencaster (com.cutthousandjs)
- BAWAG PSK Security (com.frontwonder2), and
- Play Store app install (com.theseeye5)
These apps, which pose as Play Store app installer, screen recording, and financial apps, are “powered by inventive distribution schemes,” distributing them through the Google Play store and via fraudulent landing pages that purportedly alert users to download a browser update.
Once installed, the droppers act as a channel to launch trojans. However, they ask users to activate the Accessibility Services, which allow them to access sensitive information on compromised phones.
Octo, the revised version of ExobotCompact, is also equipped to perform on-device fraud by gaining remote control over the devices by taking advantage of the accessibility permissions as well as Android’s MediaProjection API to capture screen contents in real-time.
The ultimate goal of ThreatFabric is to enable the “automatic initiation and authorization of fraudulent transactions without the operator’s manual effort,” thus allowing fraud at a much larger scale. “
Other notable features of Octo include logging keystrokes, carrying out overlay attacks on banking apps to capture credentials, harvesting contact information, and persistence measures to prevent uninstallation and evade antivirus engines.
“Rebranding of Octo to Exobot to Remove all ties to Exobot source code leaked, inviting numerous threat actors to look for an opportunity to rent an “original trojan”, ThreatFabric stated.
“Its capabilities put at risk not only explicitly targeted applications that are targeted by overlay attack, but any application installed on the infected device as ExobotCompact/Octo is able to read content of any app displayed on the screen and provide the actor with sufficient information to remotely interact with it and perform on-device fraud (ODF). “
The findings come close on the heels of the discovery of a separate Android bankbot named GodFather — sharing overlaps with the Cereberus and Medusa banking trojans — that has been observed targeting banking users in Europe under the guise of the default Settings app to transfer funds and steal SMS messages, among others.
On top of that, a new analysis published by AppCensus found 11 apps with more than 46 million installations that were implanted with a third-party SDK named Coelib that made it possible to capture clipboard content, GPS data, email addresses, phone numbers, and even the user’s modem router MAC address and network SSID.