A new Android banking trojan, dubbed Octo2, has been discovered by cybersecurity researchers, targeting users across Europe with advanced device takeover (DTO) capabilities. According to Dutch security firm ThreatFabric, Octo2 is an evolution of the original Octo malware and is being distributed through malicious apps in countries like Italy, Poland, Moldova, and Hungary. This new variant allows cybercriminals to take remote control of infected devices, perform fraudulent transactions, and steal sensitive banking information.
Octo2 is built on the leaked source code of its predecessor Octo, which itself is derived from an older malware known as Exobot, first detected in 2016. The malware’s authors have introduced several enhancements, including improved stability for remote actions and sophisticated obfuscation techniques. A key feature of Octo2 is the introduction of a Domain Generation Algorithm (DGA), which dynamically generates command-and-control (C2) server names, making it harder for security teams to trace and block its activity.
Another significant development is Octo2’s transition to a malware-as-a-service (MaaS) model, allowing cybercriminals to rent the malware for their operations. This business model enables the malware to be monetized, giving a wider range of threat actors access to powerful fraud and device takeover tools. According to ThreatFabric, Octo2 has already attracted significant interest, with existing users of Octo1 being offered early access to the new version at no extra cost.
The malware is distributed via rogue Android apps using a technique called APK binding, enabled by a service called Zombinder. This method allows attackers to trojanize legitimate applications, tricking users into installing a “necessary plugin” that actually downloads the Octo2 malware. As Octo2 continues to spread, it poses a growing risk to mobile banking users worldwide, making it critical for users to stay vigilant and regularly update their devices to guard against such sophisticated threats.
