{ "id": "2d8ffd86-e7e1-4791-aa48-412ac1b9d960", "created_at": "2026-04-06T00:18:32.122015Z", "updated_at": "2026-04-10T03:30:32.827491Z", "deleted_at": null, "sha1_hash": "0787daae67d7b81c301a573e46093adad296be46", "title": "New Octo Banking Trojan Spreading via Fake Apps on Google Play Store", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 224164, "plain_text": "New Octo Banking Trojan Spreading via Fake Apps on Google\r\nPlay Store\r\nBy The Hacker News\r\nPublished: 2022-04-08 · Archived: 2026-04-05 15:39:09 UTC\r\nA number of rogue Android apps that have been cumulatively installed from the official Google Play Store more\r\nthan 50,000 times are being used to target banks and other financial entities.\r\nThe rental banking trojan, dubbed Octo, is said to be a rebrand of another Android malware called\r\nExobotCompact, which, in turn, is a \"lite\" replacement for its Exobot predecessor, Dutch mobile security firm\r\nThreatFabric said in a report shared with The Hacker News.\r\nExobot is also likely said to have paved the way for a separate descendant called Coper, that was\r\ninitially discovered targeting Colombian users around July 2021, with newer infections targeting Android users in\r\ndifferent European Countries.\r\n\"Coper malware apps are modular in design and include a multi-stage infection method and many defensive\r\ntactics to survive removal attempts,\" Cybersecurity company Cyble noted in an analysis of the malware last\r\nmonth.\r\nhttps://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html\r\nPage 1 of 3\n\nLike other Android banking trojans, the rogue apps are nothing more than droppers, whose primary function is to\r\ndeploy the malicious payload embedded within them. The list of Octo and Coper droppers used by multiple threat\r\nactors is below -\r\nPocket Screencaster (com.moh.screen)\r\nFast Cleaner 2021 (vizeeva.fast.cleaner)\r\nPlay Store (com.restthe71)\r\nPostbank Security (com.carbuildz)\r\nPocket Screencaster (com.cutthousandjs)\r\nBAWAG PSK Security (com.frontwonder2), and\r\nPlay Store app install (com.theseeye5)\r\nThese apps, which pose as Play Store app installer, screen recording, and financial apps, are \"powered by\r\ninventive distribution schemes,\" distributing them through the Google Play store and via fraudulent landing pages\r\nthat purportedly alert users to download a browser update.\r\nThe droppers, once installed, act as a conduit to launch the trojans, but not before requesting users to enable\r\nthe Accessibility Services that allow it a wide breadth of capabilities to exfiltrate sensitive information from the\r\ncompromised phones.\r\nOcto, the revised version of ExobotCompact, is also equipped to perform on-device fraud by gaining remote\r\ncontrol over the devices by taking advantage of the accessibility permissions as well as Android's MediaProjection\r\nAPI to capture screen contents in real-time.\r\nThe ultimate goal, ThreatFabric said, is to trigger the \"automatic initiation of fraudulent transactions and its\r\nauthorization without manual efforts from the operator, thus allowing fraud on a significantly larger scale.\"\r\nhttps://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html\r\nPage 2 of 3\n\nOther notable features of Octo include logging keystrokes, carrying out overlay attacks on banking apps to capture\r\ncredentials, harvesting contact information, and persistence measures to prevent uninstallation and evade antivirus\r\nengines.\r\n\"Rebranding to Octo erases previous ties to the Exobot source code leak, inviting multiple threat actors looking\r\nfor opportunity to rent an allegedly new and original trojan,\" ThreatFabric noted.\r\n\"Its capabilities put at risk not only explicitly targeted applications that are targeted by overlay attack, but any\r\napplication installed on the infected device as ExobotCompact/Octo is able to read content of any app displayed\r\non the screen and provide the actor with sufficient information to remotely interact with it and perform on-device\r\nfraud (ODF).\"\r\nThe findings come close on the heels of the discovery of a distinct Android bankbot named GodFather — sharing\r\noverlaps with the Cereberus and Medusa banking trojans — that has been observed targeting banking users in\r\nEurope under the guise of the default Settings app to transfer funds and steal SMS messages, among others.\r\nOn top of that, a new analysis published by AppCensus found 11 apps with more than 46 million installations that\r\nwere implanted with a third-party SDK named Coelib that made it possible to capture clipboard content, GPS\r\ndata, email addresses, phone numbers, and even the user's modem router MAC address and network SSID.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html\r\nhttps://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html" ], "report_names": [ "new-octo-banking-trojan-spreading-via.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434712, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0787daae67d7b81c301a573e46093adad296be46.pdf", "text": "https://archive.orkl.eu/0787daae67d7b81c301a573e46093adad296be46.txt", "img": "https://archive.orkl.eu/0787daae67d7b81c301a573e46093adad296be46.jpg" } }