The new version of the Android malware called Octo2, an improved version of Octo (Exobotcompact), has been identified in Europe. According to threatsFabrics specialists, this new version has the potential to significantly impact cybersecurity.
Octo2 is an updated version of the popular Merry cybercriminals software, known for being distributed through the Malware-as-a-Service (MaaS) model. This version offers enhanced remote control capabilities over victim devices and employs new masking techniques, including Domain Generation Algorithm (DGA), to evade detection and bypass security mechanisms.
The Exobot malware family was initially discovered in 2016 as a banking Trojan with the ability to target interfaces and intercept communications. In 2019, a lighter variant known as Exobotcompact surfaced, leading to the development of Octo in 2021, which eventually evolved into Octo2.
By 2022, cybercriminals had begun actively discussing Octo in underground forums, leading to its widespread use in various regions, including Europe, the USA, and Asia. The source code leak of Octo in 2024 led to the emergence of multiple program forks, but the original Octo2, developed by the creator of Octo, remains the most widely distributed version.
Octo2 introduces significant updates, enhancing remote device control stability and implementing evasion techniques to bypass detection systems. The malware now features a system to intercept and hide push notifications from victims, potentially enabling fraudulent activities by redirecting sensitive data.
The initial campaigns leveraging Octo2 have been identified in countries such as Italy, Poland, Moldova, and Hungary. The malware disguises itself as popular applications like Google Chrome and NordvPn to infiltrate user devices discreetly.
In these campaigns, the Zombinder service serves as the initial installation stage: upon launch, Zombinder prompts the installation of an additional “plugin,” which is actually Octo2, effectively evading Android 13+ restrictions.
Octo2 integrates a new Domain Generation Algorithm (DGA) to dynamically generate control server domains, complicating detection and blocking efforts by security researchers and antivirus companies.