{
	"id": "9af87a4c-3006-4e2f-86b6-8de92a339f59",
	"created_at": "2026-04-06T02:10:52.774986Z",
	"updated_at": "2026-04-10T03:30:33.260363Z",
	"deleted_at": null,
	"sha1_hash": "1f253115b3cf0cccea366b870f0185d2e7e8bf77",
	"title": "New Android banking malware remotely takes control of your device",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3077736,
	"plain_text": "New Android banking malware remotely takes control of your device\r\nBy Bill Toulas\r\nPublished: 2022-04-09 · Archived: 2026-04-06 01:48:18 UTC\r\nA new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow\r\nmalicious operators to perform on-device fraud.\r\nOcto is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the\r\ncybercrime space and had its source code leaked in 2018.\r\nThe new variant has been discovered by researchers at ThreatFabric, who observed several users looking to purchase it on\r\ndarknet forums.\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nOn-device fraud capabilities\r\nOcto's significant new feature compared to ExoCompact is an advanced remote access module that enables the threat actors\r\nto perform on-device fraud (ODF) by remotely controlling the compromised Android device.\r\nThe remote access is provided through a live screen streaming module (updated every second) through Android's\r\nMediaProjection and remote actions through the Accessibility Service.\r\nOcto uses a black screen overlay to hide the victim's remote operations, sets screen brightness to zero, and disables all\r\nnotifications by activating the \"no interruption\" mode.\r\nBy making the device appear to be turned off, the malware can perform various tasks without the victim knowing. These\r\ntasks include screen taps, gestures, text writing, clipboard modification, data pasting, and scrolling up and down.\r\nOn-Device Fraud allows complete takeover of the compromised device\r\nSource: ThreatFabric\r\nApart from the remote access system, Octo also features a powerful keylogger that can monitor and capture all victims'\r\nactions on infected Android devices.\r\nThis includes entered PINs, opened websites, clicks and elements clicked, focus-changing events, and text-changing events.\r\nFinally, Octo supports an extensive list of commands, with the most important being:\r\nBlock push notifications from specified applications\r\nEnable SMS interception\r\nDisable sound and temporarily lock the device's screen\r\nLaunch a specified application\r\nStart/stop remote access session\r\nUpdate list of C2s\r\nOpen specified URL\r\nSend SMS with specified text to a specified phone number\r\nCampaigns and attribution\r\nOcto is sold on forums, such as the Russian-speaking XSS hacking forum, by a threat actor using the alias \"Architect\" or\r\n\"goodluck.\"\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 3 of 6\n\nOf particular note, while most posts on XSS are in Russian, almost all posts between Octo and potential subscribers have\r\nbeen written in English.\r\nDue to the extensive similarities with ExoCompact, including Google Play publication success, Google Protect disabling\r\nfunction, and the reverse engineering protection system, ThreatFabric believes there's a good chance that 'Architect' is either\r\nthe same author or a new owner of ExoCompact's source code.\r\nExoCompact also features a remote access module, albeit a simpler one, also provides command execution delay options\r\nand has a similar admin panel to Octo's.\r\nOcto's panel\r\nSource: ThreatFabric\r\n\"Thus, having these facts in mind, we conclude that ExobotCompact was rebranded to Octo Android banking Trojan and is\r\nrented by its owner \"Architect\", also known as \"goodluck\". ThreatFabric tracks this variant as ExobotCompact.D,\"\r\nconcludes Threat Fabric in their report.\r\nRecent Google Play apps that infected devices with Octo include an app named \"Fast Cleaner,\" which had 50,000 installs\r\nuntil February 2022, when it was discovered and removed.\r\nFast Cleaner app delivering Octo to victims\r\nSource: ThreatFabric\r\nOther Octo campaigns relied on sites using fake browser update notices or bogus Play Store app update warnings.\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 4 of 6\n\nFake browser update notice pushing Octo installers\r\nSource: ThreatFabric\r\nSome Octo operators managed to infiltrate the Play Store again after the Fast Cleaner operation was over, using an app\r\nnamed \"Pocket Screencaster.\"\r\nThe full list of known Android apps containing the Octo malware is listed below:\r\nPocket Screencaster (com.moh.screen)\r\nFast Cleaner 2021 (vizeeva.fast.cleaner)\r\nPlay Store (com.restthe71)\r\nPostbank Security (com.carbuildz)\r\nPocket Screencaster (com.cutthousandjs)\r\nBAWAG PSK Security (com.frontwonder2), and\r\nPlay Store app install (com.theseeye5)\r\nA dangerous new breed\r\nTrojans featuring remote access modules are becoming more common, rendering robust account protection steps such as\r\ntwo-factor codes obsolete as the threat actor completely controls the device and its logged-in accounts.\r\nAnything the user sees on their device's screen becomes within the access of these malware variants, so after infection, no\r\ninformation is safe, and no protection measure is effective.\r\nThat said, users need to remain vigilant, keep the number of apps installed on their smartphones at a minimum, and regularly\r\ncheck to ensure Play Protect is enabled.\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nhttps://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/"
	],
	"report_names": [
		"new-android-banking-malware-remotely-takes-control-of-your-device"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441452,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f253115b3cf0cccea366b870f0185d2e7e8bf77.pdf",
		"text": "https://archive.orkl.eu/1f253115b3cf0cccea366b870f0185d2e7e8bf77.txt",
		"img": "https://archive.orkl.eu/1f253115b3cf0cccea366b870f0185d2e7e8bf77.jpg"
	}
}