A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN and Google Chrome. According to cybersecurity firm ThreatFabric, this trojan disguises itself within seemingly legitimate apps to trick users into granting permissions, ultimately enabling attackers to access sensitive information and take over bank accounts.
After the malicious app is installed, victims receive a misleading pop-up prompting them to confirm installation and enable a “necessary plugin.” In reality, this bypasses Android security settings and allows Octo2 to be installed. The malware uses a tool called “Zombinder,” sourced from the dark web, to hide within legitimate app packages. It’s also capable of circumventing Android 13 security features.
Once installed, Octo2 enables attackers to intercept sensitive user data, control devices remotely for banking transactions, and capture and transmit screenshots—optimizing their quality even with poor internet connections. Unlike earlier variants of Octo malware, Octo2 has additional features designed to evade detection.
Initially detected in Europe, previous versions of Octo malware have appeared across the U.S., Canada, the Middle East, Asia, and Oceania. Octo2 traces its roots back to the Exobot malware, a family of trojans active since 2016. Because the source code is available on the dark web, Octo has become a “malware-as-a-service,” easily accessible to cybercriminals.
To protect against Octo2, experts recommend enabling Google Play Protect, only downloading apps from verified sources, and installing VPNs and browsers from reputable developers.