{ "id": "9ab1ccc8-9bd8-4be4-bc7b-270660609d19", "created_at": "2026-04-06T00:13:20.399823Z", "updated_at": "2026-04-10T03:30:32.733171Z", "deleted_at": null, "sha1_hash": "bd1b296d7d194a3ce012316cbb9fc9d3cd2a0100", "title": "Look out for Octo's tentacles! A new on-device fraud Android Banking Trojan with a rich legacy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5958407, "plain_text": "Look out for Octo's tentacles! A new on-device fraud Android\r\nBanking Trojan with a rich legacy\r\nPublished: 2024-10-01 · Archived: 2026-04-05 13:41:44 UTC\r\nIntro\r\nIn mid-2021, a new Android banking malware strain was spotted in the wild. While some AV companies dubbed it\r\nas a new family with the name “Coper”, ThreatFabric threat intelligence pointed towards it being a direct\r\ndescendant of the quite well-known malware family Exobot. First observsed in 2016, and based on the source\r\ncode of the banking Trojan Marcher, Exobot was maintained until 2018 targeting financial institutions with a\r\nvariety of campaigns focused on Turkey, France and Germany as well as Australia, Thailand and Japan.\r\nSubsequently, a “lite” version of it was introduced, named ExobotCompact by its author, the threat actor known\r\nas “android” on dark-web forums.\r\nThreatFabric analysts were able to establish a direct connection between ExobotCompact and this newly spotted\r\nmalware strain, that was dubbed as ExobotCompact.B on our MTI Portal. After some iterations of updates in\r\nExobotCompact, the latest variant was introduced in November 2021, referred to as ExobotCompact.D.\r\nThe latest activity of this malware family, and actors behind it, involves distribution through several malicious\r\napplications on Google Play Store. These applications were installed more then 50k+ times and were targeting\r\nfinancial organisations all over the world, both with broad and generic campaigns with large amount of targets, as\r\nwell as very narrow and focused campaigns throughout Europe.\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 1 of 8\n\nOn January 23, 2022, ThreatFabric analysts spotted a post on one of the darknet forums, in which a member was\r\nlooking for Octo Android botnet. Further analysis, as it will be shown in this blog, uncovered a direct connection\r\nbetween Octo and ExobotCompact: in fact, ExobotCompact was updated with several features and rebranded to\r\nOcto. This blog covers details of attribution made by ThreatFabric analysts and provides more details of Modus\r\nOperandi of this Android banking Trojan.\r\nOn-device fraud is here\r\nThe major update made to ExobotCompact brought remote access capability, thus allowing the threat actors\r\nbehind the Trojan to perform on-device fraud (ODF). ODF is the most dangerous, risky, and inconspicuous type\r\nof fraud, where transactions are initiated from the same device that the victim uses every day. In this case, anti-fraud engines are challenged to identify the fraudulent activity with significantly smaller number of suspicious\r\nindicators compared to other types of fraud performed through different channels.\r\nIn general, to get remote control over the device, cybercriminals need screen-streaming to see the contents of the\r\nscreen and some mechanism to execute actions on the device. To establish remote access to the infected device,\r\nExobotCompact.D relies on built-in services that are part of Android OS: MediaProjection for screen streaming\r\nand AccessibilityService to perform actions remotely. Even though this solution cannot be deemed completely\r\nreliable, it is a realistic way to have remote control over the device. Screen streaming with MediaProjection is\r\nbased on sending screenshots at high rate (1 per second), which gives operator close to live representation of what\r\nis happening on remote device.\r\nWhen ExobotCompact.D receives “start_vnc” command, it parses the configuration sent together with this\r\ncommand:\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 2 of 8\n\nOption Description\r\nSTREAM_SCREEN Enables screen streaming with MediaProjection\r\nBLACK Enables black screen overlay to hide remote actions from victim\r\nSILENT Disables all notifications (no interruption mode), sets screen brightness to 0\r\n“BLACK” and “SILENT” options help to not raise suspicion in victims as all remote actions and events caused by\r\nthem will be hidden and performed invisibly. Besides screen streaming, ExobotCompact.D is able to read all the\r\ncontents of the screen, including elements’ ID, type, and location on the screen. Having this information, the actor\r\nis able to re-create the layout of the screen on the C2 backend and have visibility on the internal structure of any\r\napp installed on the device. This information is later used when interacting with the remote device to point the\r\nelement that should be interacted with (i.e., clicked).\r\nHaving this real-time visibility, including the internal layout of applications, the operator can send actions to be\r\nexecuted on the device with the help of the “vnc_tasks” command. The supported actions are listed in the table\r\nbelow:\r\nVNC task Description\r\nclick_at Performs click at specified coordinates X, Y\r\ngesture Performs gesture\r\nset_text Sets specified text in specified element\r\nlong_click Performs long click\r\naction Performs specified action\r\nset_clip Sets clipboard text to specified one\r\npaste Pastes data from clipboard\r\nsend_pattern Performs gesture based on the specified pattern\r\nscroll Performs scroll up/down\r\nWe would like to point out that these set of actions that the Trojan is able to perform on victim’s behalf is\r\nsufficient to implement (with certain updates made to source code of the Trojan) an Automated Transfer System\r\n(ATS). In that case the operator does not have to manually interact with the remote device, but can simply send a\r\nsequence of actions to execute. Its execution can lead to automatic initiation of fraudulent transactions and its\r\nauthorization without manual efforts from the operator, thus allowing fraud on significantly larger scale.\r\nOcto is the new Exo\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 3 of 8\n\nAt the time when Octo Android botnet was first mentioned on forums, it was unclear what botnet this was,\r\nwhether it was some new malware family or just some well-known family rebranded.\r\nOn February 3, 2022, another member revealed the owner of Octo botnet, a member of the forum known as\r\n“Architect”. Later in March Architect confirmed he/she is the owner and seller of Octo botnet:\r\nEarlier post by Architect reveals his/her skills. A search by telegram contact reveals another nickname used by\r\n“Architect” on another forum: “goodluck”.\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 4 of 8\n\nOn this forum, “goodluck” mentioned that he/she has private Trojan written from scratch on December 10:\r\nWhile investigating Octo botnet, ThreatFabric analysts spotted certain similarities between ExobotCompact\r\nfeatures and skills of Octo botnet owner, “Architect”:\r\n“Source code protection from reverse (with native wrapper in C++)” - as we will show in this blog,\r\nExobotCompact uses proprietary payload obfuscation implemented in native library that protects it from\r\nreverse engineering.\r\n“Publication in Google Play with 100% approve” – ExobotCompact was seen distributed by several\r\ndroppers uploaded to official Google Play store.\r\n“Disable Google Protect” – one of the first actions that ExobotCompact makes upon the installation.\r\nAt this point ThreatFabric analysts made a hypothesis that Octo botnet is a rebranding of ExobotCompact, and\r\n“Architect” is either a new owner of the source code or the same actor who was behind Exobot and\r\nExobotCompact.A.\r\nTo prove this hypothesis, ThreatFabric analysts examined the supported commands of ExobotCompact, its\r\ncapabilities and commands available on the administrator panel of Octo banking Trojan.\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 5 of 8\n\nHere is a summary of our findings:\r\nBoth ExobotCompact and Octo have remote access capability, and it is called “VNC” in both cases.\r\nOcto panel has six time-based configurations that configure delays before executing some action. This list\r\nexact matches the same delays that ExobotCompact can receive from C2. Some of the configurations, like\r\n“minimize_delay” or “get_device_admin_delay” are unique and we have not seen it in other malware\r\nexcept ExobotCompact.\r\nThe commands available on the Octo panel are similar to commands supported by ExobotCompact and do\r\nnot contain any command that is not present in ExobotCompact code.\r\nThus, having these facts in mind, we conclude that ExobotCompact was rebranded to Octo Android banking\r\nTrojan and is rented by its owner “Architect”, also known as “goodluck”. ThreatFabric tracks this variant as\r\nExobotCompact.D.\r\nOther capabilities\r\nAs highlighted in previous section, ExobotCompact/Octo has several notable features that help it to stay under the\r\nradar and perform on-device fraud (ODF). The full list of Octo capabilities is shown hereunder:\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 6 of 8\n\nAnalyzing the current mobile threats landscape, it is hard to point out a malware family that does not use anti-detection and anti-analysis techniques. However, most of threat actors use third-party services that provide\r\nmalicious payload protection (so-called “cryptors”), while ExobotCompact implements proprietary payload\r\nprotection developed by its author. ExobotCompact.D uses a native library to decrypt and load the malicious\r\npayload, which makes it hard to analyze and detect.\r\nDespite the fact that the idea of using native libraries for obfuscation is not new, the implementation is quite\r\nunique and was only seen used by ExobotCompact. The author of ExobotCompact pays attention not only to\r\ndevelopment of the new features, but also to improving the payload protection. First versions of native payload\r\nobfuscation were rather straightforward: the “decryptor” code was not obfuscated itself, making easy to read and\r\nanalyze. In the latest versions of this native wrapper author took further step: native code obfuscation. Since a lot\r\nof anti-virus solutions rely on signature-based detection, this obfuscation makes it harder for them to detect the\r\nmalicious activity as native code does not contain “suspicious” string signatures.\r\nThe following screenshots show strings in first versions of native wrapper compared to its latest versions:\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 7 of 8\n\nThe obfuscation trick used here is not new and widely used in desktop malware as well as in some Android\r\nbanking Trojans. Strings are created dynamically during the execution of the native code by concatenating it\r\nsymbol by symbol as seen in the following screenshot:\r\nSource: https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nhttps://threatfabric.com/blogs/octo-new-odf-banking-trojan.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html" ], "report_names": [ "octo-new-odf-banking-trojan.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd1b296d7d194a3ce012316cbb9fc9d3cd2a0100.pdf", "text": "https://archive.orkl.eu/bd1b296d7d194a3ce012316cbb9fc9d3cd2a0100.txt", "img": "https://archive.orkl.eu/bd1b296d7d194a3ce012316cbb9fc9d3cd2a0100.jpg" } }