Cyble-Coper-banking-trojan

Coper Banking Trojan

Android Malware Posing as Google Play Store App Installer

During our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across various malware samples of Coper malware from a third-party intelligence website. Coper is linked to ExoBotCompat, a revised version of Exobot Android malware.

Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts. Coper malware was initially discovered targeting Colombian users around July 2021.

Newer versions of the Coper Banking trojan have been observed targeting Android users in different countries across Europe. They are anticipated to expand their scope to other regions in the future, targeting a variety of banking apps worldwide.

This type of malware is generally known for impersonating financial institution apps called Bancolombia Personas. Newer versions of the Coper malware also started to adopt impersonating Utility apps.

The infection itself is broken down into two distinct phases. The first step is to install the fake app that the Threat Actors (TAs) pass off as banking software. This app is nothing more than a dropper, and its sole purpose is to disseminate and install the primary harmful module hidden within the malicious app.

The features in the current version of Coper malware are listed below: 

  • Send USSD requests
  • Send SMS
  • Lock the device screen
  • Unlock the device screen
  • Start intercepting SMS
  • Stop intercepting SMS
  • Display a push notification
  • Re-display phishing window on top of the specified app
  • Run a keylogger
  • Stop a keylogger
  • Uninstall applications specified in the command
  • Uninstall itself with the dropper app

Technical Analysis

APK Metadata Information

  • App Name:  Play Store app install
  • Package Name: com.theseeye5
  • SHA256 Hash: 4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f

Figure 1 shows the metadata information of an application.

Figure 1 – App Metadata Information

The figure below shows the application icon impersonating the Google Play Store app displayed on the Android device.

Figure 2 – App Icon and Name

Manifest Description

The fake Play Store app asks for 32 permissions, of which the TA takes advantage of 12. The malware’s harmful permission requests are listed below:

PermissionDescription
READ_PHONE_STATE  Allows the application to access the phone features of the device
ADD_VOICEMAILAllows an application to add voicemails into the system
CALL_PHONEAllows the application to call phone numbers without your intervention
READ_EXTERNAL_STORAGE Allows an application to read from external storage.
WRITE_EXTERNAL_STORAGE Allows an application to write to external storage.
WRITE_SETTINGSAllows an application to modify the system’s settings data.
CALL_PHONE Perform call without user intervention
READ_SMS Access user’s SMSs stored in the device 
RECEIVE_SMS Fetch and process SMS messages 
SEND_SMS Allows the app to send SMS messages 
SYSTEM_ALERT_WINDOW Allows to display system alerts over other apps 


We found the activity class that is initiated when the app is launched via the icon. This was determined by looking at the Android components declared in the Manifest file. Figure 3 depicts the declaration of this activity.

Figure 3 – Launcher Activity

In addition to the launcher activity, the application’s Manifest file contains several receivers & services and the application’s subclass.

Source Code Review

Apart from the application’s subclass, the rest of the components identified from the Manifest file are missing. Hence, we can infer that the application is packed.

“com.theseeye5.KSNckdWjjyIXg” is the applications subclass initiated on launching the application. The application loads its components from the library file upon analyzing the subclass, as shown below.

Figure 4 – Application’s Subclass loading library file

The project file browser can also be used for viewing the library file’s presence. libyvr.so is visible in the screenshot below.

Figure 5 – Library file in Project file representation

Upon analyzing the “.so” file, the application acts as a dropper, which is the initial phase of the Coper malware that drops and installs the malware’s primary harmful module hiding inside the victim’s Android device.

As seen in Figure 4, the file drops an encrypted.dex file. This file can be decrypted to reveal the Coper malware’s malicious code, as shown below.

Figure 6 – Decrypted Dex file

Upon analyzing the decrypted.dex file, we were able to find the presence of missed Receivers, Services, and Mainactivity of the application. Below, we have listed the malicious activities the application can perform:

  • The application uses the Device Administration API along with the DeviceAdminReceiver subclass to enable/disable device admin to the apps that users install on their devices.
Figure 7 – Enabling/Disabling Device Admin

  • The application can read all the incoming SMS messages from the infected device.
Figure 8 – Reading Incoming SMS

  • The application’s entry point/launcher activity reads installed packages from the user’s device.
Figure 9 – Launcher activity of the malicious application

  • The malware reads the incoming notifications by verifying the packages and steals the messages from the notification using Notification Listener Service.
Figure 10 – Reads and cancels the notification using Notification Listener service

Like other Banking Trojans, Coper malware requests users to enable the Accessibility Service to perform various Accessibility Event types to conduct malicious activities, as shown in the below figure.

Figure 11 – Accessibility Event Types

The malware maintains a connection with the C&C server and queries it every minute. If the malware gets the relevant instructions from the C&C server, the time interval can be altered to ensure the malware gets sufficient time to perform other malicious functionalities.

Coper malware may also alter additional configuration parameters, as shown in Figure 12.

Figure 12 – Timer Delay and Configuration Changes Performed by malware

The list of webinjects or applications for which malicious apps attempt to steal data were also identified. Coper malware usually has a targeted list of applications in their remote server that prohibits them from running in the infected device. Coper malware actively targets banking applications across Europe, Australia, and even parts of South America.

The malware also receives commands from the TA through the C&C URL hard coded within the app in encrypted text. Figure 13 depicts the list of commands stored within the app in encrypted text.

Figure 13 – Commands received from C&C server

The list of commands used in Coper malware are given below:

CommandDescription
ussdRun a USSD request
smsSend an SMS
register_againDynamically registering a broadcast receiver
lock_on & lock_offLock/Unlock the device screen
intercept_on & intercept_offStart/Stop intercepting SMS
vnc_start & vnc_stopStart/Stop a VNC
pushDemonstrate a push notification
repeat_injectRe-display a phishing window on top of the targeted app’s window
start_keylogger & stop_keyloggerRun/Stop a Keylogger
uninstall_appsDelete an application specified in the command
kill_botDelete itself and the dropper
open_urlLaunches the defined URL
run_appRun a defined package

Upon further analysis, we were able to find the hardcoded additional Command and Control (C&C) domains, webinjects, and configuration data by the Malware author. The hard-coded C&C domains and configuration data are shown below.

Figure 14 – Additional C&C domains and configuration data hardcoded by malware author

Dynamic C&C servers:

  • hxxps://s22231232fdnsjds[.]top/PArhFzp5sG2sN/
  • hxxps://s32231232fdnsjds[.]top/PArhFzp5sG2sN/
  • hxxps://s42231232fdnsjds[.]top/PArhFzp5sG2sN/

Coper trojans have several defense measures. Controlling the integrity of the core malicious component is one of them. The Copper malware will attempt to restore it if it is removed.

Coper malware also has a secondary safety measure to monitor potentially harmful behavior to the trojan, such as:

  • The user trying to modify the device administrators’ list user access to the trojan’s information page from the system’s list of installed apps.  
  • The user visiting the Google Play Protect page in the Play Store app.
  • The user changes the trojan’s access privileges for the Accessibility Services features.

Conclusion

According to our research, Banking trojans no longer conduct assaults only based on overlay or using rented Mobility as a Service (MaaS), as previously detected in numerous Banking Trojan malware variants.

This malware uses Virtual Network Computing (VNC) to initiate screen recording services by recognizing the foreground settings in the list of apps.

Financial institutions must strengthen their mobile-first approach and prepare for the challenges posed by this virus by understanding the security landscape. This aim may be achieved by implementing a real-time threat-driven mobile security strategy.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How To Prevent Malware Infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How To Identify Whether You Are Infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What To Do When You Are Infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What To Do In Case Of Any Fraudulent Transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What Should Banks Do To Protect Their Customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean
Defense EvasionT1406Obfuscated Files or Information
Initial Access/Defense EvasionT1444Masquerade as Legitimate Application
CollectionT1513Screen Capture
Collection
T1412
Capture SMS Messages
Credential AccessT1417Input Capture (Keylogger)
Command and ControlT1436Commonly Used Ports

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571fSHA256Hash of the analysed APK file
9b07766286667e6444c93e86d833a426a5d660f0SHA1Hash of the analysed APK file
85b7a0e8cdee68bca806fc45948c2d82MD5Hash of the analysed APK file
hxxps://s22231232fdnsjds[.]top/URLC&C servers
hxxps://s32231232fdnsjds[.]top/URLC&C servers
hxxps://s42231232fdnsjds[.]topURLC&C servers

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. 

Scroll to Top