Coper Banking Trojan Targets Colombian Users

Doctor Web has discovered a new family of banking Trojans for Android named Android.BankBot.Coper (hereinafter Coper). While the bankers are targeting Colombian users, 然而, the researchers believe that over time, versions may appear that will attack users from other countries.

It is reported that this family of malware has a modular architecture and a multi-stage infection mechanism, as well as a set of protective techniques to help resist deletion.

All Coper samples found were distributed under the mask of the official software of the credit institution Bancolombia (Bancolombia Personas applications). To make them more convincing, their icons were designed in the same style as those of the real programs of the bank.

For comparison, below is an example of a fake icon (left) and an example of real Bancolombia app icons (right) available for download on Google Play.

Coper Banking Trojan

The infection process is divided into several stages. The first step is to install a decoy program that cybercriminals impersonate as a real banking application. 講真, it is a dropper whose main task is to deliver and install the main malicious module hidden inside it on the target device.

During the installation process, the banker gains access to Accessibility Services, with the help of which it can fully control the infected device and imitate user actions (例如, clicking on menu buttons and closing windows). To do this, he asks the victim for the appropriate permission, and having received it, it tries to disable the Google Play Protect protection built into the operating system, allow the installation of applications from unknown sources, install and run the main malicious module and also provide it with access to special features.

Coper Banking Trojan

Coper Banking Trojan

The main Trojan module that performs the main malicious actions is installed under the mask of a system application named Cache plugin, which uses the gear icon, which is standard for some Android system programs. The name and icon increase the likelihood that users will not see a threat in the program.

When launched, this module gains access to a number of important functions. 例如, the Trojan asks for permission to read and manage notifications and add them to the list of exceptions for system battery optimization, which will allow it to work permanently. 另外, the Trojan becomes the administrator of the device and also gains access to control phone calls and SMS messages.

Further, this module hides its icon from the list of applications on the main screen, concealing it from the user, after which it informs the C&C server about the successful infection of the device and waits for further instructions.

The banker maintains constant communication with the server, sending requests to it every minute. If necessary, this interval can be changed by the appropriate command.

另外, depending on the response received from the server, the Trojan can change its other settings, including:

  • a list of command-and-control servers;
  • a list of target applications that will display phishing windows when launched;
  • a list of programs to be removed;
  • a list of applications that the Trojan will prevent from launching by returning the user to the home screen;
  • a list of programs from which notifications will be blocked;
  • other parameters.

Having received the right command from its operators, Coper is able to:

  • execute USSD requests;
  • send SMS;
  • lock the device screen;
  • unlock the device screen;
  • start intercepting SMS;
  • stop intercepting SMS;
  • show push notifications;
  • re-display the phishing window over the specified application;
  • launch a keylogger;
  • stop the keylogger;
  • remove the applications specified in the command;
  • remove yourself as well as the dropper from the device.

另外, the Trojan intercepts and sends to the server the content of all Push notifications received by the device. In order to demonstrate a phishing window, the malware uses what has already become a classic for mobile bankers: the contents of such a window are downloaded from a remote server and placed in a WebView that imitates the appearance of the target program to deceive the victim.

Let me remind you that we also said that Researchers warned of new DarkRadiation ransomware.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕