Octo2 banking trojan is taking over Android phones and stealing cash — how to stay safe
Plus it's hiding inside legit apps
After a two-year hiatus, the Octo malware has returned with improved capabilities that make it easier for hackers to use it to completely take over the best Android phones.
As reported by The Hacker News, security researchers at ThreatFabric have discovered a new version of this Android banking trojan called Octo2. So far, it’s mainly been used in campaigns across Europe but this malware could easily be reconfigured to target Android users in the U.S., Canada and other countries around the world.
What makes Octo2 so dangerous is the fact that it’s currently being distributed in malicious versions of popular apps including Google Chrome and NordVPN. Once your phone is infected with this malware, not only can hackers completely take it over but they can also perform fraudulent transactions right from the device itself. This helps the hackers behind this campaign avoid being detected by banks and other financial institutions.
Here’s everything you need to know about this new version of Octo 2 including how it has managed to infiltrate legitimate apps along with some tips on how to stay safe from Android malware.
Hiding in legitimate apps
The original Octo malware was first discovered back in 2022. However, it’s actually based on the Exobot malware that was first detected in 2016 according to a blog post from ThreatFabric.
The reason we’re now seeing the emergence of Octo 2 is due to the fact that the source code for the original version leaked earlier this year. With Octo’s source code in hand, hackers have begun creating their own variations of this malware to use in their attacks.
At the same time, Octo has moved to a malware-as-a-service (MaaS) operating model in which other cybercriminals pay its developer a small fee to use the malware in their own attacks. Octo’s developer even promoted this new version by informing its clients that existing users would be able to get Octo2 for the same price with early access.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
To make their attacks harder to detect, the hackers deploying Octo2 are using it alongside an APK binding service called Zombinder. This may sound a bit too technical but here’s the gist, Zombinder lets hackers take legitimate Android apps and add malware to them in such a way that to the end user, they appear nearly identical to the original app.
Octo2 is downloaded by these rogue Android apps by convincing users that they need to install a “necessary plugin”. If an unsuspecting user falls for this, hackers then have complete control over their phone remotely which enables them to carry out all manner of attacks.
How to stay safe from Android malware
When it comes to staying safe from Android malware, the first and most important thing is that you avoid installing apps from unknown sources. This means only installing apps from trusted app stores like the Google Play Store, Samsung Galaxy Store or the Amazon Appstore.
Sideloading apps may be convenient but by doing so, you put yourself at risk of installing a malicious app that can then infect your phone with malware. This is why you should avoid doing so unless, of course, you need to install an app for work that can’t be hosted on an official store. However, this is extremely rare and most employers would never ask you to do this.
From here, you want to ensure that Google Play Protect is enabled on your Android phone. This free app comes pre-installed on most Android devices and it can scan all of your existing apps and any new ones you install for malware. For extra protection though, you should also consider using one of the best Android antivirus apps alongside it.
Now that Octo’s source code is out in the open, it’s very likely we will see even more variations of the malware. However, if you’re careful online, avoid sideloading apps and keep your phone updated with Google Play Protect enabled, you should be fine.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.