There’s a new strain of malware floating around the internet, and it’s looking to control your Android device. Once installed, “Octo,” as it’s colloquially called, can both remotely see your screen and control your device, all without you knowing. Let’s examine where Octo came from, how it works, and how you can avoid it.
What is Oct?
ThreatFabric was the first outlet to discover and report on Octo, who found the strain as an evolution of Exobot family of malware. Since 2016, Exobot malware primarily targets banking activity, and has evolved into different strains over time. Now, ThreatFabric has identified a strain it calls ExobotCompact.D: On the dark net, however, the malware is being referred to as “Octo.”
Many hackers attempt to break into your accounts from their personal devices, by phishing for your login information, as well as your MFA codes. However, Octo allows bad actors to remotely access your Android phone, in what’s called on-device fraud (ODF). ODF is extremely dangerous, since the activity isn’t happening from somewhere else in the world, but from the device your accounts and networks expect it to.
How does Octo work?
Octo takes over Android’s MediaProjection function in order to stream your smartphone’s activity remotely. While it’s not a perfect livestream (the video runs about 1 frame per second), it’s plenty fast for hackers to see what they’re doing on your device. In order to actually do anything, though, they’ll next use Octo to take over AccessibilityService.
You won’t see any of this happening, however, because Octo employs a black overlay on your screen, in addition to silencing any notifications you may receive: From your perspective, your phone appears shut off, but to hackers, it’s open season on your Android device.
From here, hackers can perform an assortment of tasks remotely on your device, including taps, gestures, entering text, pasting text, long-clicks, and scrolling, among other commands. On top of that, a hacker doesn’t even need to do these things themselves: Rather, they can simply “tell” the malware what they want it to do, and the malware will perform tasks automatically. You can imagine, then, the potential scale of fraud is widened considerably, since it doesn’t require a human to sit there and go through the steps one-by-one.
Octo can do a lot once it’s on your device. It can act as a keylogger, reporting on every action you make on your device, including your lock pattern or PIN, URLs you visit, and any taps you make on your screen. In addition, it can scrape your contacts lists, intercept your SMSs, and record and control your phone calls. The author of Octo even made it more difficult to discover by writing their own code to hide the identity of the malware.
How does Octo get on your Android phone?
Like many malware infections, compromised apps are a major vehicle for installation. According to ThreatFabric, the app “Fast Cleaner” was found to contain Octo in addition to other malware types, and was downloaded over 50,000 times before Google removed it from the Play Store. The app primarily targeted users of European banks, and installed Octo by convincing the users to install a “browser update.” Other affected apps include a screen recorder called “Pocket Screencaster,” as well as a suite of fake banking apps designed to trick users of the real banks into downloading them.
The secret to steering clear of Octo, then, is to employ excellent cybersecurity practices on your Android device at all times. Never download an app from the Play Store without thoroughly vetting it first. While Google’s rejection system is certainly better than it used to be, compromised apps make it through all the time.
Next, be extremely wary of apps that ask you to download a separate app, or to install an update from their link, not the Play Store. Legitimate apps want you to use their app, not to follow a sketchy link to download some other app. Similarly, your apps will receive updates from the Play Store, not the app’s proprietary update site. These methods are classic malware installation tactics, and you can avoid them by simply being thoughtful about the actions you take on Android.
If you’re concerned you might have installed malware, you can use a trusted service like MalwareBytes to scan your device for malicious software. If you need to go nuclear, a factory-reset can wipe out any malware and install a fresh version of Android on your phone. As long as you are mindful about the apps and links you interact with on your devices, however, you should be well on your way to avoiding Octo and other malware like it.