OctoRAT

Malware

⚠️ Overview

OctoRAT is an Android remote access trojan (RAT) and banking malware first documented in early 2022 by ThreatFabric, evolving from the Exobot malware family (also known as Octo). It is operated by a financially motivated threat group often tracked as Exobot/Octo actors, and it primarily targets mobile banking applications across Europe, Latin America, and the Asia-Pacific region.

🔧 Technical Capabilities

OctoRAT obtains initial access through malicious APKs disguised as legitimate apps (e.g., utilities, updates) distributed via phishing SMS, dropper apps on third-party stores, or malware-as-a-service campaigns. Once installed, it requests Accessibility Service privileges to perform overlay attacks, keylogging, and screen recording, intercepting two-factor authentication (2FA) tokens and SMS messages. Its command-and-control (C2) infrastructure uses a custom protocol over WebSocket connections, often employing domain generation algorithms (DGAs) and TLS encryption to evade network detection. Persistence is achieved through Android’s device administrator abuse, preventing removal, and by hiding the app icon. For evasion, OctoRAT checks for emulators, debuggers, and antivirus apps; it uses code obfuscation and string encryption to hinder static analysis.

📜 History & Notable Incidents

OctoRAT first appeared in the wild in March 2022, with multiple variants observed targeting over 150 banking apps by mid-2023, according to a Cleafy report. In September 2022, an OctoRAT campaign named "FakeCalls" used fake bank customer-support calls to trick victims into granting remote access. No high-profile CVEs have been directly associated, but the malware exploits Android Accessibility Service APIs (no CVE needed). No law enforcement takedowns have been reported as of 2025.

🔍 Detection Indicators

Known file hashes are regularly updated by vendors; for example, an OctoRAT sample (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855) was reported by ThreatFabric. Network indicators include C2 domains matching patterns like *.duckdns.org or *.ngrok.io, and User-Agent strings such as "Dalvik/2.1.0 (Linux; U; Android 10)" common to fake apps. Persistence mutexes include "octo_mutex" and registry-like keys in Android’s SharedPreferences ("pref_key_device_admin") are used.

☠️ Risk & Impact

OctoRAT enables real-time screen sharing and remote control, allowing attackers to drain bank accounts, steal cryptocurrency wallet credentials, and exfiltrate personal data. Financial losses per compromised account range from $1,000 to $50,000, affecting retail banking, cryptocurrency exchanges, and payment service sectors. A 2023 Fox-IT report estimated that OctoRAT campaigns compromised over 10,000 devices across 20 countries.

🛡️ Mitigation

Organizations should enforce Android Enterprise Security policies, block sideloading of apps from untrusted sources, and deploy mobile threat defense (MTD) solutions that detect Accessibility Service abuse. Users should install apps only from Google Play with Play Protect enabled, and avoid granting Accessibility permissions to unverified apps.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.