Android Malware Posing as Google Play Store App Installer
During our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across various malware samples of Coper malware from a third-party intelligence website. Coper is linked to ExoBotCompat, a revised version of Exobot Android malware.
Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts. Coper malware was initially discovered targeting Colombian users around July 2021.
Newer versions of the Coper Banking trojan have been observed targeting Android users in different countries across Europe. They are anticipated to expand their scope to other regions in the future, targeting a variety of banking apps worldwide.
This type of malware is generally known for impersonating financial institution apps called Bancolombia Personas. Newer versions of the Coper malware also started to adopt impersonating Utility apps.
The infection itself is broken down into two distinct phases. The first step is to install the fake app that the Threat Actors (TAs) pass off as banking software. This app is nothing more than a dropper, and its sole purpose is to disseminate and install the primary harmful module hidden within the malicious app.
The features in the current version of Coper malware are listed below:
- Send USSD requests
- Send SMS
- Lock the device screen
- Unlock the device screen
- Start intercepting SMS
- Stop intercepting SMS
- Display a push notification
- Re-display phishing window on top of the specified app
- Run a keylogger
- Stop a keylogger
- Uninstall applications specified in the command
- Uninstall itself with the dropper app
Technical Analysis
APK Metadata Information
- App Name: Play Store app install
- Package Name: com.theseeye5
- SHA256 Hash: 4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f
Figure 1 shows the metadata information of an application.
The figure below shows the application icon impersonating the Google Play Store app displayed on the Android device.
Manifest Description
The fake Play Store app asks for 32 permissions, of which the TA takes advantage of 12. The malware’s harmful permission requests are listed below:
| Permission | Description |
| READ_PHONE_STATE | Allows the application to access the phone features of the device |
| ADD_VOICEMAIL | Allows an application to add voicemails into the system |
| CALL_PHONE | Allows the application to call phone numbers without your intervention |
| READ_EXTERNAL_STORAGE | Allows an application to read from external storage. |
| WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage. |
| WRITE_SETTINGS | Allows an application to modify the system’s settings data. |
| CALL_PHONE | Perform call without user intervention |
| READ_SMS | Access user’s SMSs stored in the device |
| RECEIVE_SMS | Fetch and process SMS messages |
| SEND_SMS | Allows the app to send SMS messages |
| SYSTEM_ALERT_WINDOW | Allows to display system alerts over other apps |
We found the activity class that is initiated when the app is launched via the icon. This was determined by looking at the Android components declared in the Manifest file. Figure 3 depicts the declaration of this activity.
In addition to the launcher activity, the application’s Manifest file contains several receivers & services and the application’s subclass.
Source Code Review
Apart from the application’s subclass, the rest of the components identified from the Manifest file are missing. Hence, we can infer that the application is packed.
“com.theseeye5.KSNckdWjjyIXg” is the applications subclass initiated on launching the application. The application loads its components from the library file upon analyzing the subclass, as shown below.
The project file browser can also be used for viewing the library file’s presence. libyvr.so is visible in the screenshot below.
Upon analyzing the “.so” file, the application acts as a dropper, which is the initial phase of the Coper malware that drops and installs the malware’s primary harmful module hiding inside the victim’s Android device.
As seen in Figure 4, the file drops an encrypted.dex file. This file can be decrypted to reveal the Coper malware’s malicious code, as shown below.
Upon analyzing the decrypted.dex file, we were able to find the presence of missed Receivers, Services, and Mainactivity of the application. Below, we have listed the malicious activities the application can perform:
- The application uses the Device Administration API along with the DeviceAdminReceiver subclass to enable/disable device admin to the apps that users install on their devices.
- The application can read all the incoming SMS messages from the infected device.
- The application’s entry point/launcher activity reads installed packages from the user’s device.
- The malware reads the incoming notifications by verifying the packages and steals the messages from the notification using Notification Listener Service.
Like other Banking Trojans, Coper malware requests users to enable the Accessibility Service to perform various Accessibility Event types to conduct malicious activities, as shown in the below figure.
The malware maintains a connection with the C&C server and queries it every minute. If the malware gets the relevant instructions from the C&C server, the time interval can be altered to ensure the malware gets sufficient time to perform other malicious functionalities.
Coper malware may also alter additional configuration parameters, as shown in Figure 12.
The list of webinjects or applications for which malicious apps attempt to steal data were also identified. Coper malware usually has a targeted list of applications in their remote server that prohibits them from running in the infected device. Coper malware actively targets banking applications across Europe, Australia, and even parts of South America.
The malware also receives commands from the TA through the C&C URL hard coded within the app in encrypted text. Figure 13 depicts the list of commands stored within the app in encrypted text.
The list of commands used in Coper malware are given below:
| Command | Description |
| ussd | Run a USSD request |
| sms | Send an SMS |
| register_again | Dynamically registering a broadcast receiver |
| lock_on & lock_off | Lock/Unlock the device screen |
| intercept_on & intercept_off | Start/Stop intercepting SMS |
| vnc_start & vnc_stop | Start/Stop a VNC |
| push | Demonstrate a push notification |
| repeat_inject | Re-display a phishing window on top of the targeted app’s window |
| start_keylogger & stop_keylogger | Run/Stop a Keylogger |
| uninstall_apps | Delete an application specified in the command |
| kill_bot | Delete itself and the dropper |
| open_url | Launches the defined URL |
| run_app | Run a defined package |
Upon further analysis, we were able to find the hardcoded additional Command and Control (C&C) domains, webinjects, and configuration data by the Malware author. The hard-coded C&C domains and configuration data are shown below.
Dynamic C&C servers:
- hxxps://s22231232fdnsjds[.]top/PArhFzp5sG2sN/
- hxxps://s32231232fdnsjds[.]top/PArhFzp5sG2sN/
- hxxps://s42231232fdnsjds[.]top/PArhFzp5sG2sN/
Coper trojans have several defense measures. Controlling the integrity of the core malicious component is one of them. The Copper malware will attempt to restore it if it is removed.
Coper malware also has a secondary safety measure to monitor potentially harmful behavior to the trojan, such as:
- The user trying to modify the device administrators’ list user access to the trojan’s information page from the system’s list of installed apps.
- The user visiting the Google Play Protect page in the Play Store app.
- The user changes the trojan’s access privileges for the Accessibility Services features.
Conclusion
According to our research, Banking trojans no longer conduct assaults only based on overlay or using rented Mobility as a Service (MaaS), as previously detected in numerous Banking Trojan malware variants.
This malware uses Virtual Network Computing (VNC) to initiate screen recording services by recognizing the foreground settings in the list of apps.
Financial institutions must strengthen their mobile-first approach and prepare for the challenges posed by this virus by understanding the security landscape. This aim may be achieved by implementing a real-time threat-driven mobile security strategy.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How To Prevent Malware Infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How To Identify Whether You Are Infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What To Do When You Are Infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What To Do In Case Of Any Fraudulent Transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What Should Banks Do To Protect Their Customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Initial Access/Defense Evasion | T1444 | Masquerade as Legitimate Application |
| Collection | T1513 | Screen Capture |
| Collection | T1412 | Capture SMS Messages |
| Credential Access | T1417 | Input Capture (Keylogger) |
| Command and Control | T1436 | Commonly Used Ports |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f | SHA256 | Hash of the analysed APK file |
| 9b07766286667e6444c93e86d833a426a5d660f0 | SHA1 | Hash of the analysed APK file |
| 85b7a0e8cdee68bca806fc45948c2d82 | MD5 | Hash of the analysed APK file |
| hxxps://s22231232fdnsjds[.]top/ | URL | C&C servers |
| hxxps://s32231232fdnsjds[.]top/ | URL | C&C servers |
| hxxps://s42231232fdnsjds[.]top | URL | C&C servers |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 
