Octo is a banking trojan that steals sensitive data from mobile banking applications. Octo can also be called ExobotCompact.D. It is a modular malware that can be tailored to target specific financial institutions and banks. Octo can be distributed via SMS phishing messages that contain malicious links. Once the link has been clicked, the malware will be installed on the victim’s device.
Attackers behind Octo spread Octo through SMS messages. These messages encourage users to install fake versions of popular apps such as WhatsApp, Netflix, and Runtastic. Using an overlay attack, they then display a page that looks like a bank. This deception allows them to steal the user credentials and details of credit and debit cards.
The Trojan has a second layer of deception. It checks the app currently running on the screen. The phishing overlay is then adapted to the app so that the user is less likely to suspect the malicious nature of the overlay. The Trojan uses the Android Process Library to determine which apps run in the background. The Trojan also checks if there are any antivirus apps and closes the antivirus app if the Trojan is detected.
Octo first appeared in February 2017. Octo has targeted over 370 banking applications in Belgium, France, Germany, Italy, and the U.K.
- The Octo sample apps discovered were small, usually around 700 KB.
- A command-and-control system could update the lists of targeted banks and overlays.
- The samples discovered do not include native libraries but only Dalvik bytecode. Dalvik is a virtual machine that no longer runs apps on Android.
- It uses the AndroidProcess Library, which allows the application to get the name of the Android Package currently running in the background. It was used to detect the banking app that is currently running and then display the overlay accordingly.
Mitigating the Threat of Octo
Consider implementing these security measures to protect your mobile banking application and its users against the Octo trojan banking and other similar threats:
- Regular Updates: Keep updated with the latest security patches, enhancements, and fixes for known vulnerabilities.
- User education: Educate the users on downloading the official apps from trusted sources and being cautious about app permissions.
- Multifactor Authentication: Encourage the users to enable MFA on their accounts for an additional layer of security.
- Real-Time Monitoring: Implement a real-time monitoring system to detect and respond to suspicious activities in your app or network traffic.
- Secure Code: Use safe coding practices, such as input validation, data encryption, and secure API communication, to prevent vulnerabilities.
- Third-Party Library Review: Carefully evaluate and vet any third-party libraries used in your application for security risks.
- Collaborate With Security Experts: Work closely with cybersecurity experts on security assessments, code reviews, and penetration tests to identify your app’s weaknesses.
- Incident response plan: Develop a plan to respond to security breaches or incidents.
Learn More About Banking Trojan Families
Octo belongs to the prominent families of banking trojans that threaten mobile banking and financial applications. Learn more about the other major banking trojans:
- BianLian
- Cabassous
- Coper
- EventBot
- ExobotCompact.D
- FluBot
- Medusa Trojan
- SharkBot
- TeaBot
- Xenomorph
- Zbot
- Svpeng
- Marcher
- Anubis
- Ginp
- Cerberus Trojan
- BankBot
- Emotet