This post is also available in: עברית (Hebrew)
Researchers are warning that the latest version of the credential-stealing Android malware, known as Octo2, is set to wreak havoc in the mobile threat landscape in 2025. This new iteration, part of the notorious ExobotCompact malware family, operates as malware-as-a-service, with its users conducting campaigns targeting regions including Europe, the USA, Canada, the Middle East, Singapore, and Australia.
The malware cleverly masquerades as legitimate applications such as Google Chrome and NordVPN. Once installed, Octo2 provides cybercriminals with remote access to harvest credentials via fake login pages, intercept push notifications, and perform actions without authorization.
Octo2 is particularly significant in the context of banking security. Its alarming capabilities and customizable nature are very appealing for various attackers, heightening the risks for users worldwide. As this threat continues to evolve, it’s crucial for banking app users and financial institutions to remain vigilant, implement robust security measures, and regularly update defenses. Threat Fabric researchers have already identified Octo2 being used, particularly in countries like Italy, Poland, Moldova, and Hungary, and they expect its distribution to become global soon.
According to Cybernews, one of the key features of Octo2, which makes detection significantly more challenging for security systems, is its use of a Dynamic Domain Generation Algorithm (DGA) – a feature that allows it to frequently change its command and control (C2) server addresses. A report released on October 10th by researchers at DomainTools revealed a rapid increase in domains associated with Octo2, from nine initial domains to 269 across 12 top-level domains (TLDs) within a short span. Cybersecurity specialists have already begun tracing and blocking some of these domains to disrupt the malware’s communication with its C2 server, gaining insights into its behavior and geographic spread.
The rise of malware-as-a-service necessitates a proactive approach from the cybersecurity community, sharing threat analysis and targeting it collaboratively. In the wake of this threat, users are urged to use malware detection tools, and there should be consistent monitoring of DNS traffic for suspicious domain queries.