Android accessibility features exploited by the Octo banking trojan

April 18, 2022
Android Accessibility Features Octo Banking Trojan Mobile Malware

The Octo banking trojan is currently abusing the accessibility features inside Android devices, which can breach and put malicious apps in Play Store. The rouge Android apps exist inside the app store that threat actors use to target financial agencies and banks.

According to researchers, the droppers are disguised as legitimate apps and are meant to launch malicious payloads embedded in them. Moreover, there are numerous applications being used by threat actors as utility apps that can potentially deploy the Octo banking trojan.

The droppers act as a vector to deploy the trojan after being installed in the targeted devices and will prompt the user to allow accessibility services so it can steal sensitive information.

Some of the malicious apps confirmed by researchers as compromised applications are the Fast Cleaner 2021 app, Postbank Security, BAWAG PSK Security, Pocket Screencaster, and Play Store app install.

These compromised apps can spread themselves through inventive distribution strategies such as fraudulent landing pages prompting browser updates and Play Store.

Some experts claimed that the Octo banking trojan is a rebrand of a similar Android threat named ExobotCompact.

 

The Octo banking trojan also has different capabilities aside from its common banking threat.

 

According to a recent analysis, Octo can operate on-device fraud if it can achieve remote control accessibility. It can also exploit Android’s MediaProjection API and Accessibility Service permissions to gather real-time screen contents.

Other functions include harvesting contact info, preventing uninstallation, evading antivirus engines, logging keystrokes, and overlay attacks on banking apps to capture credentials.

The Octo banking trojan aims to start an automatic initiation of fraudulent transactions and the authorisation without a need for standard attempts from threat actors. The designers of this malware appear to be wanting a much larger scale of fraud transactions with minimal manual effort.

Experts believe that Octo may be a potential threat for a long time since it can abuse device accessibility features that bypass advanced security solutions. The numerous existing droppers inside the Play Sore and landing pages only enhance Octo’s infection capabilities.

Employing an excellent monitoring system to analyse the behaviour of installed apps is necessary for all users.

About the author