Octo2 Android malware: A new threat spreading across Europe

A new version of the Octo Android malware, referred to as “Octo2,” has been detected spreading across Europe under the disguise of well-known applications such as NordVPN, Google Chrome, and a lesser-known app called Europe Enterprise.

This latest variant has been enhanced to deliver greater stability, more sophisticated evasion techniques, and the implementation of a domain generation algorithm (DGA) for resilient command and control (C2) communication.

 

Octo2 is a continuation of the original Octo malware, which itself evolved from the ExoCompact banking trojan (2019-2021) that was built on ExoBot, first released in 2016.

 

The original Octo malware was discovered in April 2022 and found hidden in fake cleaner applications on Google Play. It boasted a range of on-device fraud features, including keylogging, interception of SMS and push notifications, screen locking, and launching arbitrary apps. Following a series of leaks, multiple versions of Octo began appearing, causing disruptions to the original author’s sales. In response, the malware’s creator, known as ‘Architect,’ launched Octo2, hoping to reinvigorate interest in the malware by offering an improved version alongside promotional discounts for customers of the first Octo variant.

The most recent Octo2 campaigns have primarily targeted European countries, such as Italy, Poland, Moldova, and Hungary, although previous versions of the malware have been used to facilitate attacks across a wide range of regions, including the United States, Canada, Australia, and the Middle East.

Threat actors have employed fake NordVPN and Google Chrome apps, along with the Europe Enterprise app, likely as lures to trick users into downloading the malicious software. By leveraging the Zombider service, they have managed to bypass Android 13’s security measures, embedding the harmful payload into these APKs.

The Octo2 upgrade appears to be a refined continuation of the original malware rather than a complete overhaul. Among the notable changes is a new setting in the remote access tool (RAT) module called “SHIT_QUALITY,” designed to minimise data transmissions for greater connectivity in areas with poor network speed. The malware also decrypts its payload through native code and dynamically loads additional libraries to complicate analysis and detection.

Octo2’s new DGA-based C2 system enables its operators to swiftly change C2 servers, making the malware more resilient to takedown attempts and blocklists. Additionally, the malware is capable of receiving a list of apps to target, allowing it to block specific push notifications and refine its attacks.

Currently, Octo2 is not available on Google Play, and its distribution is limited to third-party app stores, which Android users are advised to avoid.