This Trojan disguises as Google Chrome or NordVPN to wipe out your accounts


Researchers predict that the latest version of the credential-stealing Android malware will cause chaos in the coming year.

In 2024, a new version of malware, Octo2, circulated the mobile threat landscape. This new addition to the prolific malware family is also known as Octo (ExobotCompact).

Octo is malware-as-a-service, with its "customers" reportedly running campaigns targeting Europe, the USA, Canada, the Middle East, Singapore, and Australia.

ADVERTISEMENT

Threat Fabric researchers have identified the new version of Octo, which has been seen running in the wild in Italy, Poland, Moldova, and Hungary. They expect it to start spreading globally in the near future.

The malware disguises itself as legitimate apps such as Google Chrome, NordVPN, and “Enterprise Europe Network.” Once a device is infected, Octo2 allows remote access to intercept push notifications, harvest credentials through fake login pages, and perform unauthorized actions.

This malware version’s ability to secretly steal sensitive data, combined with how easily different attackers can customize it, increases the danger for mobile banking users worldwide. As the threat evolves, users and financial institutions must stay alert, adopt strong security measures, and regularly update defenses to reduce the growing risk.

Mitigating the risks

Octo2 uses a Dynamic Domain Generation Algorithm (DGA) to frequently change its command and control (C2) server addresses, making it harder for security systems to detect and block it.

In a report released on October 10th, researchers from DomainTools identified numerous domains linked to Octo2, revealing a DGA pattern of random alphanumeric strings paired with specific top-level domains (TLDs).

This investigation grew from nine initial domains to 269 across 12 TLDs between August 22nd, 2024, and October 4th, 2024. Researchers have already sunkholed some of these domains, disrupting the malware's communication with its C2 server and providing insights into its behavior and geographic spread. Sinkholing is a technique cybersecurity specialists use to redirect or block malicious traffic from a specific domain or IP address.

“Malware-as-a-service (MaaS) is on the rise, and, like the legitimate marketplace, malware creators are aware of the importance of differentiating themselves from competitors,” said Steve Behm, Solutions Engineer at DomainTools,

“The iteration from Octo to Octo2 allows for enhanced obfuscation methods and improved remote access functionality, making this trojan a higher threat to financial institutions, particularly mobile banking users.”

ADVERTISEMENT

Behm says that emphasizing domain-related data can help security practitioners and researchers better detect Octo2. Using malware detection tools and consistently monitoring DNS traffic for suspicious domain queries can provide further protection against banking trojan attacks.

“Collaboration and communication with the community should be emphasized and broadened. When we come together and share findings, we create awareness and new strategies for safeguarding against bad actors,” he concludes.