There’s a new strain of malware floating around the internet, and it’s looking to control your Android device. Once installed, “Octo,” as it’s colloquially called, can both remotely see your screen and control your device, all without you knowing. Let’s examine where Octo came from, how it works, and how you can avoid it.
What is Octo?
ThreatFabric was the first outlet to discover and report on Octo, who found the strain as an evolution of Exobot family of malware. Since 2016, Exobot malware primarily targets banking activity, and has evolved into different strains over time. Now, ThreatFabric has identified a strain it calls ExobotCompact.D: On the dark net, however, the malware is being referred to as “Octo.”
Many hackers attempt to break into your accounts from their personal devices, by phishing for your login information, as well as your MFA codes. However, Octo allows bad actors to remotely access your Android phone, in what’s called on-device fraud (ODF). ODF is extremely dangerous, since the activity isn’t happening from somewhere else in the world, but from the device your accounts and networks expect it to.
How does Octo work?
Octo takes over Android’s MediaProjection function in order to stream your smartphone’s activity remotely. While it’s not a perfect livestream (the video runs about 1 frame per second), it’s plenty fast for hackers to see what they’re doing on your device. In order to actually do anything, though, they’ll next use Octo to take over AccessibilityService.
You won’t see any of this happening, however, because Octo employs a black overlay on your screen, in addition to silencing any notifications you may receive: From your perspective, your phone appears shut off, but to hackers, it’s open season on your Android device.
From here, hackers can perform an assortment of tasks remotely on your device, including taps, gestures, entering text, pasting text,…