A new variant of the Octo Android malware, dubbed “Octo2,” has emerged in Europe, masquerading as legitimate applications such as NordVPN, Google Chrome, and a program named Europe Enterprise. This latest iteration, thoroughly examined by ThreatFabric, showcases enhanced operational stability and sophisticated mechanisms designed to evade analysis and detection. Notably, it employs a domain generation algorithm (DGA) system, which bolsters its command and control (C2) communications, ensuring resilience against disruptions.
Brief History and Evolution
The Octo malware is rooted in the Android banking trojan lineage, evolving from ExoCompact, which was active from 2019 to 2021. This earlier variant was itself derived from the ExoBot trojan, first introduced in 2016, whose source code was leaked in mid-2018. ThreatFabric initially uncovered Octo in April 2022, embedded within counterfeit cleaner applications on Google Play. Their findings revealed the malware’s extensive on-device fraud capabilities, granting operators significant access to victims’ sensitive information.
Octo v1 was equipped with a range of functionalities, including:
- Keylogging
- On-device navigation
- Interception of SMS and push notifications
- Device screen locking
- Sound muting
- Arbitrary app launches
- Utilization of infected devices for SMS distribution
Earlier this year, the original Octo was leaked, leading to the emergence of multiple forks of the malware. This development likely impacted the sales of its original creator, known as ‘Architect.’ In response, Architect introduced Octo2, presumably to reinvigorate interest among cybercriminals. The creator even offered a special discount for existing customers of Octo v1.
Octo2 Operations in Europe
Current campaigns utilizing Octo2 are primarily targeting Italy, Poland, Moldova, and Hungary. However, given the malware’s previous reach through the Malware-as-a-Service (MaaS) platform, which has facilitated attacks globally—including in the U.S., Canada, Australia, and the Middle East—it’s anticipated that Octo2 will soon extend its operations to other regions.
In these European campaigns, threat actors are leveraging counterfeit NordVPN and Google Chrome applications, alongside the Europe Enterprise app, likely as bait for targeted attacks. Octo2 employs the Zombider service to embed the malicious payload into these APKs, successfully circumventing security measures introduced in Android 13 and later versions.
More Stable, More Evasive, More Capable
Octo2 represents a refined upgrade to its predecessor, enhancing its capabilities incrementally rather than through radical overhauls. A notable addition is the introduction of a low-quality setting within the remote access tool (RAT) module, aptly named “SHIT_QUALITY.” This feature minimizes data transmissions, ensuring more reliable connectivity even under poor internet conditions.
Furthermore, Octo2 employs native code to decrypt its payload and complicates analysis by dynamically loading additional libraries during execution, significantly bolstering its evasion tactics. The introduction of a DGA-based C2 domain system allows operators to swiftly update and switch to new C2 servers, rendering blocklists ineffective and enhancing resilience against server takedown efforts.
ThreatFabric also highlights that Octo2 now receives a curated list of applications to intercept, enabling operators to fine-tune their targeting strategies. Currently, Octo2 has not been detected on Google Play, indicating that its operators are relying on alternative distribution channels to propagate the malware.
