Coper Android Trojan Strikes Colombian Users

80% Of Retail Apps Leak Personal Data

Coper is a newly identified threat, which appears to have features typical for banking Trojans. It goes after Android mobile devices exclusively, and it is able to target a wide range of financial institutions. Its top priority, however, appears to be Colombian banks. The Coper Banking Trojan is identifiable by reputable antivirus software, and you can keep your data and smartphone safe by using an up-to-date security tool. It will also keep you safe from similar threats like the Bizarro Banking Trojan.

Coper Banking Trojan Spread Through Fake Apps

Large-scale malware propagation campaigns often employ multiple techniques and strategies to improve their reach. In the case of the Coper Banking Trojan, its creators are abusing fake versions of 'Bancolombia Personas,' the official banking app of Bancolombia. The fake installer uses the same logo and name as the original, but it is not found on the Google Play Store. As for the way the malicious installer is promoted, the criminals might use multiple approaches – email spam, text message spam, fake ads, social media, and more.

How does the Coper Banking Trojan's Attack Work?

Once the malicious APK file is installed and ready to go, the user may be prompted to give the app certain permissions. Users are unlikely to find anything odd about this since the official Bancolombia Personas app also requires some permissions. However, there is one request that stands out about the fake version – it asks the user to grant it access to Accessibility Services. Almost all Android malware families go after these permissions because they grant them nearly full control over the hacked device.

If the Coper Banking Trojan gets what it wants, it will proceed to:

  • Disable Google Play Protect.
  • Enable the installation of apps from unknown sources.
  • Grant additional payloads the permission they need.

In terms of functionality, the Coper Banking Trojan is able to carry out complicated phishing attacks by using overlays. These overlays are triggered automatically whenever the victim opens a specific website or app used by one of the financial institutions that Coper targets. The overlay is usually designed to look just like the original app – any data entered there is submitted to the command-and-control server of the attackers.

The Coper Trojan has Interesting Features and Security Measures

In addition to the overlay phishing attack, the Coper Banking Trojan also enables its operators to:

  • Launch a keylogger.
  • Steal the contact list.
  • Manage and send SMS messages.
  • Display custom notifications.
  • Lock the device.
  • Uninstall apps.
  • Self-removal.

The Trojan also has a very peculiar 'security' feature to stop users from removing it. It tracks the user's behavior and will simulate a tap on the 'Home' button if the user tries to:

  • Access the Google Play Protect settings.
  • Manage device administrators.
  • View information about the Trojan in the list of installed apps.
  • Try to manage the permissions of the malicious app.

This simple security measure may turn out to be very effective since it will prevent users from troubleshooting the issue on their own. As you can see, developers of banking Trojans are always exploring new opportunities to conceal their implants and make their removal as challenging as possible. The best way to protect yourself from such apps or to remove active infections is to use an up-to-date Android antivirus app.

July 23, 2021

Leave a Reply