Octo is a new Android malware that can steal banking details, let hackers perform remote commands

A new Android malware has been discovered that can perform remote commands on a device and record all the activities on it, thus compromising critical information.

(Image: Reuters)


  • Octo, a subset of ExoCompact malware has been discovered in the wild.
  • The malware is able to conceal its presence on the target system.
  • Octo is actively being sold to hackers on the darknet forums.

A new malware is now plaguing Android devices and can perform on-device fraud using remote access capabilities. Named Octo, the malware is able to take control of the device and perform remote commands on it, compromising important information including the banking details of the user.Octo has been spotted by researchers at ThreatFabric, with a following report indicating how the malware is being spread through darknet forums and several threat actors are looking to purchase it. The report mentions that the Octo Android malware has evolved from ExoCompact, another malware variant based on the Exo trojan which had its source code leaked in 2018.The big difference between the two, as highlighted in a new report by BleepingComputer, is that Octo comes with an advanced remote access module. This module helps hackers perform on-device fraud, as it lets them control the compromised Android device remotely through a live screen streaming module which is updated every second.Once in place on a compromised device, Octo uses a black screen overlay to hide the remote operations being carried out on the device. Along with the overlay, the malware sets screen brightness to zero and disables all notifications of the device by activating the "no interruption" mode. It then appears as if the device is turned off, leaving the device owner clueless as to what is going on inside. Meanwhile, the malware is able to carry out commands remotely.Some of these tasks that the malware is capable of performing include "screen taps, gestures, text writing, clipboard modification, data pasting, and scrolling up and down," as per the report.Apart from the remote access system, Octo also features a powerful keylogger that can monitor and capture all victims' actions on infected Android devices. This list of commands extends to include blocked push notifications, SMS interception, temporary screen lock, sound disable, remote application launch, start/stop remote access session, open specified URL and even send SMS to a specific phone number.The more devious function of the Octo malware is that it carries a powerful keylogger, which can be used to monitor and record all of the user's actions on the infected Android devices. Using the keylogger, a hacker can record the PINs entered by the user or the websites opened or the elements clicked on the system, essentially giving away crucial information which can be used to map the baking details of a user.The report mentions that Octo is being sold on online forums by a threat actor using the alias "Architect" or "goodluck." It is being spread through apps like "Fast Cleaner" and "Pocket Screencaster" [since removed], fake browser update notices as well as bogus Play Store app update warnings. Android users are thus advised to stay clear of such malicious apps and only rely on apps from trusted sources on their devices.