There is a new strain of malware floating around the internet and it is looking to control your Android device. Once installed, “Octo”, as it is called in everyday speech, can both remove your screen and control your device, all without you knowing it. Let’s examine where Octo came from, how it works, and how you can avoid it.
What is Octo?
ThreatFabric was the first outlet to discover and report on Octo, who found the strain as an evolution of the Exobot family of malware. Since 2016, Exobot malware is primarily targeted at banking activities and has evolved into various strains over time. Now ThreatFabric has identified a strain it calls ExobotCompact.D: On the dark web, however, the malware is referred to as “Octo.”
Many hackers try to hack into your accounts from their personal devices by phishing for your login information as well as your MFA codes. However, Octo allows bad actors to remotely access your Android phone in what is called on-device fraud (ODF). ODF is extremely dangerous as the activity does not happen from anywhere else in the world but from the device your accounts and networks expect it to.
How does Octo work?
Octo takes over Android’s MediaProjection function to remotely stream your smartphone’s activity. While not a perfect livestream (the video runs at about 1 frame per second), it is very fast for hackers to see what they are doing on your device. To actually do something, however, next time they will use Octo to take over AccessibilityService.
However, you will not see any of this happen because Octo uses a black overlay on your screen, in addition to muting any messages you may receive: From your perspective, your phone appears to be off, but for hackers it is open season it your Android device.
From here, hackers can perform a variety of tasks remotely on your device, including tapping, gestures, entering text, inserting text, long clicks, and scrolling, among other commands. On top of that, a hacker does not even have to do these things himself: rather, they can simply “tell” the malware what they want it to do, and the malware performs tasks automatically. So you can imagine that the potential scale of fraud has expanded significantly as it does not require a human being to sit there and go through the steps one by one.
Octo can do a lot once it’s on your device. It can act as a keylogger that reports on every action you take on your device, including your lock pattern or PIN, URLs you visit, and every touch you make on your screen. In addition, it can scrape your contact lists, intercept your text messages and record and manage your phone calls. The author of Octo made it even harder to detect by writing their own code to hide the identity of the malware.
How does Octo get on your Android phone?
Like many malware infections, compromised apps are an important means of installation. According to ThreatFabric, it turned out that the “Fast Cleaner” app contains Octo in addition to other malware types and was downloaded over 50,000 times before Google removed it from the Play Store. The app was primarily targeted at users of European banks and installed Octo by convincing users to install a “browser update.” Other affected apps include a screen recorder called “Pocket Screencaster”, as well as a number of fake banking apps designed to trick users of the right banks into downloading them.
The secret to avoiding Octo, therefore, is to apply excellent cybersecurity practices on your Android device at all times. Never download an app from the Play Store without having thoroughly reviewed it first. While Google’s rejection system is certainly better than it used to be, compromised apps come through all the time.
Next, please extremely be wary of apps that ask you to download a separate app or install an update from their link, not Play Store. Legitimate apps want you to use their app, not to follow an outlined link to download another app. Similarly, your apps will receive updates from the Play Store, not the app’s proprietary update page. These methods are classic malware installation tactics and you can avoid them by simply being considerate of the actions you take on Android.
If you are concerned that you may have malware installed, you can use a trusted service as MalwareBytes to scan your device for malicious software. If you need to go nuclear power, a factory reset can wipe out all malware and install a fresh version of Android on your phone. However, as long as you are aware of the apps and links you interact with on your devices, you should be well on your way to avoiding Octo and other malware like that.