New version of Octo malware for Android impersonates NordVPN and Google Chrome

A new version of the Octo Android malware, dubbed “Octo2,” is spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise.

The new version, analyzed by ThreatFabric, features improved operational stability, more advanced anti-analysis and detection mechanisms, and a Domain Generation Algorithm (DGA) system for resilient command and control (C2) communications.

Ultimately, its appearance in the wild confirms that the project is alive and thriving despite recent turmoil.

A Brief History and Evolution

Octo is an Android banking Trojan that evolved from ExoCompact (2019-2021), which in turn was based on the ExoBot trojan released in 2016 and whose source code was leaked in the summer of 2018.

ThreatFabric discovered the first version of Octo in April 2022 in fake cleaning apps on Google Play. TF’s report at the time highlighted the malware’s ability to conduct device fraud, giving its operators broad access to victim data.

Among other things, Octo v1 allowed for logging keystrokes, navigating the device, intercepting SMS messages and push notifications, locking the device screen, muting the sound, launching arbitrary applications, and using infected devices to distribute SMS messages.

According to ThreatFabric, Octo’s software was leaked earlier this year, resulting in a number of variants of it appearing, which likely impacted sales of its original creator, “Architect.”

Following these events, Architect announced Octo2, likely as an attempt to introduce an improved version to the malware market and pique the interest of cybercriminals. The malware creator even announced a special discount for Octo v1 customers.

Octo2 Operations in Europe

Campaigns currently deploying Octo2 are focused on Italy, Poland, Moldova, and Hungary. However, since Octo’s Malware-as-a-Service (MaaS) platform has already facilitated attacks around the world, including the US, Canada, Australia, and the Middle East, it’s likely we’ll see Octo2 campaigns in other regions soon.

In their European operations, attackers are using fake NordVPN and Google Chrome apps, as well as a Europe Enterprise app that is likely a decoy used in targeted attacks.

Octo2 uses Zombider to add a malicious payload to these APK files, thereby bypassing Android 13 (and newer) security restrictions.

More stable, more unique, more capable

Octo2 is essentially an incremental update to the first version, gradually improving the malware rather than making breaking changes or rewriting the code from scratch.

First, the malware author introduced a new low-quality setting in the Remote Access Tool (RAT) module called “SHIT_QUALITY” that limits data transmissions to a minimum, allowing for a more reliable connection when the internet connection speed is unsatisfactory.

Octo2 also decrypts the payload using native code and complicates analysis by dynamically loading additional libraries at runtime, further enhancing its already strong attack evasion capabilities.

Finally, Octo2 introduces a DGA-based C2 domain system that allows operators to quickly upgrade and switch to new C2 servers, making blocklists ineffective and increasing resilience to server takedown attempts.

ThreatFabric also notes that Octo2 now receives a list of apps that can intercept and block push notifications, allowing operators to narrow down where notifications are targeted.

The Octo2 app has not been spotted on Google Play, so for now it is believed that its distribution is limited to third-party app stores, which Android users should avoid.