Multiple rogue Android apps hosted on the official Play Store are being used to target banks and financial agencies. The apps are laden with a rental banking trojan identified as Octo (a rebrand of ExobotCompact).
The rogue dropper apps
According to ThreatFabric, the rogue apps are actually droppers meant to deploy the embedded malicious payload. There are multiple apps advertised as utility apps that act as Octo droppers.
- The droppers act as a medium to launch other trojans after being installed.
- Additionally, they request users to enable Accessibility Services to exfiltrate sensitive info from the devices.
- The malicious apps acting as droppers are identified as Pocket Screencaster, Fast Cleaner 2021, Play Store, Postbank Security, Pocket Screencaster, BAWAG PSK Security, and Play Store app install.
- These apps spread via inventive distribution schemes, Play store, and fraudulent landing pages prompting browser updates.
Besides, Octo is said to be a rebrand of a similar Android threat called ExobotCompact.
Additional insights
- It abuses the Accessibility Service permissions and Android’s MediaProjection API to capture real-time screen contents.
- Other features include logging keystrokes, overlay attacks on banking apps to capture credentials, harvesting contact info, preventing uninstallation, and evading antivirus engines.
- The goal of this malware is to begin automatic initiation of fraudulent transactions and their authorization without a need for manual attempts from attackers and performing fraud at a much larger scale.
Conclusion
From abusing devices’ accessibility features to bypassing advanced security layers, Octo appears to be a potential threat in the longer run. A large number of droppers on the Play store and malicious landing pages only enhance its infection capabilities. For protection, experts suggest it's good to have a monitoring system in place to analyze the behavior of installed apps.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/6443_shutterstock_360127970.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3c6e_shutterstock_680078896.jpg)
