Huge number of Android apps that are malicious by nature have been installed from Google Play Store more than 50,000 times are being used to target banks and other financial entities.
The trojan dubbed Octo, a rebrand of another Android malware called ExobotCompact, which, in turn, is a “lite” replacement for its Exobot predecessor, as reported by Threat Fabric firm.
The malicious apps are nothing more than droppers, whose primary function is to deploy the malicious payload embedded within them. The list of Octo and Coper droppers used by multiple threat actors is below –
- Pocket Screencaster
- Fast Cleaner 2021
- Play Store
- Postbank Security
- BAWAG PSK Security
- Play Store app install
These apps, pose as app installer, screen recording, and financial apps, are “powered by inventive distribution schemes,” distributing them through the Google Play store and via fraudulent landing pages that purportedly alert users to download a browser update.
Once after the installation these apps, used to launch the trojans, requesting users to enable the Accessibility Services that allow it a wide breadth of capabilities to exfiltrate sensitive information from the compromised phones.
Octo, the revised version of ExobotCompact, is also equipped to perform on-device fraud by gaining remote control over the devices by taking advantage of the accessibility permissions as well as Android’s MediaProjection API to capture screen contents in real-time.
Other notable features of Octo include logging keystrokes, carrying out overlay attacks on banking apps to capture credentials, harvesting contact information, and persistence measures to prevent uninstallation and evade antivirus engines.
An analysis published by AppCensus found 11 apps with more than 46 million installations that were implanted with a third-party SDK named Coelib that made it possible to capture clipboard content, GPS data, email addresses, phone numbers, and even the user’s modem router MAC address and network SSID.