You will also be interested
[EN VIDÉO] Phishing: what is it and how to prevent it? Phishing, or phishing in English, is a form of spam consisting of impersonating a reliable person or organization in order to hack information.
By monitoring the dark web, the cybersecurity company ThreatFabric discovered the existence of a new banking trojan, christened Octo. specific to androidit is a new, more advanced version of the Trojan horse ExobotCompact.D, itself an evolution of the Exobot malware first discovered in 2016
Like most of banking malwareOcto can record keystrokes in order to record Passwords and credit card numbers. It also targets apps specific, in particular banking, where it displays a false page over the application which asks the victim to identify himself. The malware also integrates functions to intercept and send SMSblock notifications from specific apps, or even receive commands from a server.
The author can control the smartphone in real time
However, the main novelty is that the author now has the possibility of handling the smart phone of the victim. Besides simply stealing the data and using it later, it can perform operations directly on the infected device, reducing the risk of detection. Actions from the device and theIP adress usual, they are less likely to be flagged as suspicious by the bank or the targeted application.
Octo relies on function Accessibility Service Android to perform remote actions (click, scroll, paste text…), and the MediaProjection function to display the screen at a rate of screenshot per second. The author could even create a script to perform them automatically depending on the application, without having to interact directly with the infected device. The Trojan can also display a black screen to hide its actions, mute all notifications and lower the brightness at least.
Fake apps on the Play Store
The Trojan was distributed through fake apps directly on Play store of Google, which have been downloaded more than 50,000 times. These do not contain the malwarebut a module (drop) that allows you to install it, in order to bypass the security of the Play Store. To trick victims into installing one of these apps, the author used fake pages on infected sites that ask to download a browser update. One of the applications pointed out, and since removed, is Fast Cleaner (vizeeva.fast.cleaner), which was also used to install the banking malware Xenomorph. Other scam apps are:
- Pocket Screencaster (com.moh.screen)
- Play Store (com.restthe71)
- Postbank Security (com.carbuildz)
- Pocket Screencaster (com.cutthousandjs)
- BAWAG PSK Security (com.frontwonder2)
- Play Store app install (com.theseeye5)
This kind of malware shows the limits of double authentication, since it has access to the smartphone accounts and can intercept any message received. The victim does not even realize the problem since the screen seems to stay off. The only parade is to pay close attention to the installed applications.
Interested in what you just read?