| CVE: | |||
| REFERENCES: | https://thehackernews.com/2024/09/new-octo2-android-banking-trojan.html https://cybernews.com/security/android-banking-malware-remote-control/ https://cyble.com/blog/nexus-the-latest-android-banking-trojan-with-sova-connections/ | ||
| DESCRIPTION: | A new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover (DTO) and perform fraudulent transactions and The emergence of Octo2 is said to have been primarily driven by the leak of the Octo source code earlier this year, leading other threat actors to spawn multiple variants of the malware. It includes a powerful feature set, allowing attackers to take over user devices and steal data. ThreatFabric analysts discovered the new trojan Brokewell, warning that it poses a significant threat to the banking industry and users. It allows attackers to remotely access all assets available through banking apps. | ||
| IMPACT: | The malware prompts the user to enable the Accessibility Service upon launching it for the first time. Once the victim grants this permission, the malware exploits the service to automatically approve requested permissions, enable device administration, and initiate keylogging activities.The malware operates surreptitiously by establishing a connection to the Command and Control (C&C) server via the following URL: hxxp://5.161.97[.]57:5000. Once connected, it transmits sensitive information, including Accessibility logs and a roster of installed applications to the C&C server as shown in the below figure.Upon receiving the list of installed applications, the command and control (C&C) server verify it against the targeted list of banking applications. If a match is found, the C&C server sends an “enableinject” command, including the specific application’s package name, as shown in the code snippet below. | ||
| SYSTEM AFFECTED: | Some of the malicious apps containing Octo2 are listed below – Europe Enterprise (com.xsusb_restore3)Google Chrome (com.havirtual06numberresources)NordVPN (com.handedfastee5) | ||
| RECOMMENDATIONS: | Suggested to below steps as recommendations – Download and install software only from official app stores like Google Play Store or the iOS App Store.Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.Use strong passwords and enforce multi-factor authentication wherever possible.Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.Be wary of opening any links received via SMS or emails delivered to your phone.Ensure that Google Play Protect is enabled on Android devices.Be careful while enabling any permissions.Keep your devices, operating systems, and applications updatedBanks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.In case of a fraudulent transaction, immediately report it to the concerned bank. | ||