Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Octo2 Malware Masquerades as Popular Apps

Android Poses as NordVPN, Google Chrome in Europe
Octo2 Malware Masquerades as Popular Apps
Image: Shutterstock

A new version of the Octo Android malware is spreading across Europe, posing as legitimate apps such as NordVPN and Google Chrome. The latest iteration includes advanced anti-detection mechanisms and a domain generation algorithm for command-and-control communication.

See Also: Panel Discussion | Securing the Open Door on Your Endpoints

ThreatFabric researchers discovered Octo2 malware targeting European countries under the guise of popular apps and also a regionally relevant app called Europe Enterprise.

The updated version is more stable and harder to detect, increasing the malware's persistence in infected devices, the researchers said.

Octo2 builds on the ExobotCompact malware family, first spotted in 2016 as a banking Trojan. It has evolved into one of the most widespread Android malware families, used by cybercriminal groups to target banking customers globally.

Researchers first observed Octo2 in Italy, Poland, Hungary and Moldova. Hackers' appropriation of trusted brands as cover helps the malware spread effectively, since unsuspecting users believe they are installing trusted software.

Threat actors behind Octo2 focused on improving the malware's core remote access functionality, a key feature for device takeover attacks. To reduce data transmission and improve connection stability during these attacks, Octo2 now incorporates a setting known as SHIT_QUALITY, an actual term used by the creators that reduces the quality of the images sent from the infected device to the C2 server.

The enhancement ensures the malware can maintain reliable communication even over poor network connections.

Octo2 also improves anti-analysis and anti-detection capabilities, which have been a hallmark of the ExobotCompact family. Octo2's malicious code is loaded dynamically and decrypted through multiple layers of protection.

Researchers said Octo2's use of a domain generation algorithm for C2 communication is a particular innovation. It allows the malware to generate new domain names on the fly, ensuring that attackers can maintain control of infected devices even if security teams manage to take down known C2 servers. A limitation of the algorithm is that once researchers understand it, antivirus vendors can predict future domains and proactively block them.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.