Coper Banking Trojan

The infosec researchers at Doctor Web have uncovered a new family of Android banking Trojans that is targeting Colombian users. Named the Coper Banking Trojan, the threat employs a multi-stage infection chain to compromise Android devices and run a multitude of harmful activities, mainly trying to collect the user's banking credentials. In addition, the detected Trojans have a modular structure to make detection more difficult and are equipped with several persistence mechanisms that shield the threat from different types of removal attempts. 

The Attack Chain

The Coper Banking Trojan is spread via corrupted applications designed to appear as if they are legitimate applications released by Bancolombia. One such fake application is called Bacolombia Personas and its icon mimics the style and color pallet of the official Bancolombia applications. At this stage, a dropper is delivered to the infiltrated Android device. The main goal of the dropper is to decrypt and execute the next-stage payload that is pretending to be a Web document named 'o.html.' 

The second-stage module is responsible for obtaining Accessibility Services functions. This is essential for several of the unsafe capabilities of the threat, as they will allow the Coper Trojan to control the compromised device and carry out user actions, such as imitating the pressing of specific buttons. The malware also will attempt to disable the built-in malware protection Google Play Protect. 

During the third stage of the infection chain, the main module of the banking Trojan is decrypted and initiated. To avoid attracting the attention of the user, this threatening component is installed on the system disguised as an application called Cache plugin. The Trojan will ask to be added to the device's battery optimization white-list allowing it to avoid termination by the system. Furthermore, the treat will set itself as the device administrator which gives it access to the phone calls and SMS. 

Malicious Capabilities

After removing its icon from the home screen, the Coper Trojan will then notify its Command-and-Control (C&C, C2) server and enter into waiting mode. The threat will periodically, once every minute by default, contact the C&C server for new instructions. The attackers can send and intercept SMS, lock/unlock the screen, run a keylogger routine, display new push notifications or intercept incoming ones, uninstall applications or tell the threat to uninstall itself. 

The threat actors also can modify the behavior of the threat to better suit their evil-minded goals. The Trojan's list of C&C servers, targeted applications, list of applications to delete, or the ones set to be prevented from running can all be adjusted.

Coper is classified as a Banking Trojan and, as such, its main goal is to collect banking credentials. It overlays the legitimate login screens of the targeted applications with a nearly identical phishing page. The contents of the fake page are downloaded from the C&C and then placed into WebView. Any entered information will be scrapped and uploaded to the hackers. 

Defensive Techniques

The Coper Banking Trojan exhibits several protective measures that ensure the continued presence of the threat on the device or stop it from running under specific circumstances. For example, the threat makes several checks to determine the user's country, if an active SIM card is connected to the device, or if it is being executed in a virtual environment. Even if one of the checks is not within the specified parameters, the threat will terminate itself.  

Another technique involves the Trojan scanning actively for actions that could harm it. The threat can detect if the user is trying to open the Google Play Protect page in the Play Store application, attempting to change the device administrators, trying to view the Trojan's information page or exclude it from the Accessibility Services feature. Upon detecting any of those actions, the threat will simulate pressing the Home button to return the user to the home screen. A similar method is used to prevent the user from uninstalling the Trojan as it simulates hitting the Back button. 

Although the currently active samples of the threat appear to be focused on Columbian users solely, there is nothing stopping the operators of the Coper Baking Trojans to expand their operation in the next released versions.