A fascinating thing about the life cycle of malware is how malicious code packages evolve over time. It's a case of threat actors grabbing something that works and then improving or extending it. One example is a breed of banking malware that first popped up in 2016 called Exobot — it went after users in several countries until 2018 when it morphed into ExobotCompact, a remote access trojan (RAT) with several additional subtypes. And recently, cybersecurity researchers discovered Octo, a new RAT that essentially evolved from Exobot but has even more deceptive features — like the one that lets the trojan hide its activities even as it turns your phone into a vehicle for committing fraud.

Via Bleeping Computer, we know that cybersecurity researchers with Threat Fabric learned about Octo from seeing requests for it on the dark web. Threat Fabric found that Octo has a lot in common with ExobotCompact, including measures to prevent reverse-engineering the malware and coding that makes it easy to hide inside an innocent-seeming app on the Google Play Store — as well as the neat trick of disabling Google Protect upon download. What sets Octo apart, according to Threat Fabric, is on-device fraud (ODF) functionality. While ODF isn't new to the malware ecosphere, it is the quirk that distinguishes Octo from the rest of the Exobot family of malicious apps.

To execute ODF, Octo sneaks in via the Accessibility service and sets up what amounts to a live stream to the attacker's command and control servers that is updated each second from the compromised phone. Then it uses a black screen and disables notifications to obscure what it's up to from the innocent user. So basically, it looks like your device has been turned off, but the malware is having a party while the screen is blank, and performing a host of tasks like scrolling, taps, texts, and cutting and pasting. Octo also uses keylogging software to track everything the hacked user types into the device (like PINs, social security numbers, OnlyFans messages), and is capable of blocking push notifications by specific apps and intercepting or sending texts.

Octo is an appropriate name then for a piece of malware that's so scarily versatile. As for campaigns in which attackers are already using the malware, Threat Fabric discovered an innocent-looking app on Google Play dubbed "Fast Cleaner" that was actually a "dropper" for Octo. Droppers are legit-seeming shells that hold malware payloads. They can even do what they advertise but in the end they're poison pills. According to the cybersecurity site, "Fast Cleaner" was a favorite dropper, since it was also used to distribute flavors of malware like Alien and Xenomorph.

As both Bleeping Computer and Threat Fabric point out, malicious software is becoming more devious with each new evolution, adding features like multi-factor authentication evasion. It's easy to feel completely exposed. Vigilance is key when it comes to protecting yourself and your data. Stay informed about the latest threats and keep your device updated with the latest security patches.