Octo¶
Octo is an Android banking trojan descended from the Exobot lineage (2016), offering remote access via real-time screen streaming using Android's MediaProjection API. Sold as malware-as-a-service (MaaS) on underground forums, it provides operators with on-device fraud (ODF) capability through a combination of screen streaming at 1 frame per second, accessibility-driven input simulation, and overlay injection. Its 2024 successor, Octo2, introduced DGA-based C2 resolution and improved anti-analysis, responding to a source code leak that spawned competing forks.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2022 (as Octo); 2021 (as Coper); 2018 (as ExobotCompact); 2016 (as Exobot) |
| Status | Active (Octo2, 2024-present) |
| Type | Banking trojan, MaaS, RAT |
| Aliases | ExobotCompact, Coper |
| Attribution | Threat actor "Architect" / "goodluck" (forum handles) |
| Distribution | Google Play droppers, sideloading, third-party stores |
Origin and Lineage¶
Octo has the most thoroughly documented lineage of any modern Android banking trojan. ThreatFabric traced the full evolution from Exobot through ExobotCompact to Octo:
Exobot (2016-2018): A full-featured banking trojan targeting financial institutions globally. The original author ceased development around 2018.
ExobotCompact (2018-2021): A lightweight version created by a threat actor using the handle "android" on dark web forums. Stripped down from the original Exobot, it retained core banking trojan features but with a smaller footprint.
Coper (2021): Some AV vendors independently discovered ExobotCompact samples in 2021 and tracked them under the name "Coper." ThreatFabric proved that Coper and ExobotCompact were the same family.
Octo (2022): In January 2022, ThreatFabric analysts spotted forum posts seeking the "Octo Android botnet." Investigation revealed that ExobotCompact had been updated with remote access capabilities and rebranded as Octo. The rebrand accompanied a transition to a MaaS model under the operator "Architect" (also known as "goodluck").
Octo2 (2024): Following a source code leak of Octo1 that spawned unauthorized forks, the original author released Octo2 with significant improvements to DGA, anti-analysis, and remote access stability.
Possible Coper Descendants: Frogblight, a Turkish banking trojan discovered in 2025, shows possible connections to the Coper MaaS ecosystem according to Kaspersky's analysis. If confirmed, it would represent another branch of the Exobot lineage operating independently from Octo.
Distribution¶
| Vector | Details |
|---|---|
| Google Play droppers | Fake apps (fast cleaner, play store, etc.) uploaded to Google Play |
| Third-party app stores | APKs distributed through unofficial markets |
| Smishing | SMS campaigns directing victims to download pages |
| MaaS affiliates | Operators receive builder access and distribute through their own channels |
ThreatFabric documented multiple Google Play dropper campaigns, including a "Fast Cleaner" app with 50,000+ installs that delivered Octo as its payload.
Capabilities¶
Version Evolution¶
| Version | Period | Key Capabilities |
|---|---|---|
| ExobotCompact | 2018-2021 | Overlay injection, SMS interception, keylogging, notification blocking |
| Octo (v1) | 2022-2024 | All above + MediaProjection screen streaming, accessibility remote control, black screen hiding |
| Octo2 | 2024-present | All above + DGA for C2, dynamic key generation, improved obfuscation, enhanced remote access stability |
Core Features¶
| Capability | Implementation |
|---|---|
| Screen streaming | MediaProjection API captures screenshots at 1/sec, streamed to operator |
| Remote input | Accessibility service simulates taps, swipes, gestures, text input |
| Overlay injection | WebView-based injects triggered by target app detection |
| Keylogging | Captures PINs, URLs visited, clicks, focus changes, text edits |
| SMS interception | Reads, sends, and mutes incoming SMS |
| Notification blocking | Suppresses notifications from specified apps |
| App launching | Opens arbitrary apps on command |
| Screen lock control | Locks/unlocks device, mutes audio |
| Black screen overlay | Displays black screen and dims brightness to zero to hide remote operations |
Remote Access (ODF)¶
The remote access capability is what elevated Octo above standard overlay-only trojans. The implementation:
- MediaProjection captures the screen as compressed screenshots at ~1 frame per second
- Screenshots are streamed to the operator's panel over the C2 channel
- The operator sees near-real-time device state and sends commands back
- Accessibility service executes the commands as taps, swipes, and text input
- A black screen overlay with zero brightness hides the activity from the victim
This creates an interactive remote session within the victim's device, allowing the operator to navigate banking apps, initiate transfers, and confirm transactions as if holding the phone.
Technical Details¶
C2 Communication¶
Octo v1:
| Component | Details |
|---|---|
| Encryption | AES with hardcoded static key |
| Encoding | Base64 over AES ciphertext |
| Protocol | HTTPS |
| C2 resolution | Hardcoded domains |
Octo2:
| Component | Details |
|---|---|
| Encryption | AES with per-request dynamically generated keys |
| Key exchange | Cryptographic salt shared in request, C2 derives matching key |
| Protocol | HTTPS |
| C2 resolution | Domain Generation Algorithm (DGA) |
ThreatFabric's Octo2 analysis details the improvements: instead of a static hardcoded key, each request generates a fresh encryption key. The salt is included in the request body so the C2 can independently derive the same key for decryption.
Octo2 DGA¶
The DGA generates C2 domain names dynamically, allowing operators to rotate infrastructure without rebuilding samples. ThreatFabric documented the implementation: a native library decrypts the malicious payload at runtime, generates encryption keys, and produces C2 domain names through the DGA algorithm.
Anti-Analysis (Octo2)¶
| Technique | Details |
|---|---|
| Multi-stage loading | Native library decrypts and loads payload dynamically |
| Code obfuscation | More sophisticated than Octo1, multiple decryption layers |
| DGA | Eliminates static C2 indicators |
| Dynamic key derivation | Per-request encryption keys defeat traffic replay |
MaaS Infrastructure¶
Octo operates as a full MaaS platform:
- Panel: Web-based operator interface for managing bots, viewing screen streams, sending commands
- Builder: Generates customized APKs with operator-specific C2 configuration
- Inject hosting: C2 serves WebView-based overlays for target apps
- Bot management: Track infected devices, filter by country/installed apps
Team Cymru documented the MaaS infrastructure from a network intelligence perspective, mapping C2 servers and operator panels.
Target Regions and Financial Institutions¶
| Period | Primary Targets |
|---|---|
| 2021-2022 (Coper/ExobotCompact) | Latin America, Europe |
| 2022-2024 (Octo) | Global, operator-dependent (MaaS) |
| 2024 (Octo2) | Italy, Poland, Moldova, Hungary (initial campaigns) |
As a MaaS operation, Octo's targeting depends on individual operators. The platform provides inject kits covering banking apps across multiple regions, but each affiliate selects their own targets.
Notable Campaigns¶
January 2022: ThreatFabric identified Octo on dark web forums and linked it to ExobotCompact, documenting the full lineage from Exobot. A "Fast Cleaner" app on Google Play with 50,000+ installs was identified as an Octo dropper.
2022-2023: Team Cymru tracked Octo's MaaS infrastructure and documented increasing operator activity, with more campaigns and more affiliates gaining access to the platform.
Early 2024: The Octo1 source code leaked, leading to multiple unauthorized forks by third-party actors. This fragmentation of the ecosystem likely motivated the original author to release Octo2.
September 2024: ThreatFabric disclosed Octo2 with campaigns already targeting European banks in Italy, Poland, Moldova, and Hungary. Initial samples impersonated NordVPN and Google Chrome. The author offered Octo2 to existing Octo1 customers at the same price with early access.