Copybara Mobile Malware
Copybara is a family of mobile threats specifically designed to infect Android devices. It is believed that the first versions of Copybara became active in the second half of 2021, with most of the attacks involving the threat taking place in 2022. The cybercriminals behind the threat rely on heavily tailored social engineering tactics to trick users into downloading and installing Copybara on their devices. These characteristics may lead to an increased infection rate, but limit the scope of the attack campaigns. Not only do the cybercriminals target the Italian market specifically, but they also are focusing on infecting users of singular institutions.
The atypical characteristics can be explained by the addition of a voice phishing step or TOAD (Telephone-Oriented Attack Delivery) in the infection chain. First, users will receive luring SMS messages presented as if coming from their bank. These SMSishing messages will contain a link that will lead to the Copybara threat being delivered to their Android device. However, an operator working for the hackers will call the victim posing as a bank agent that will supposedly guide the unsuspecting users through the process of downloading and installing what is presented as a security application. The bogus agent also will insist that users grant broad device permissions to the application.
Once established on the victim's Android device, Copybara can perform a multitude of intrusive actions allowing the attackers to carry out On-device Fraud. The malware can create a remote connection to the Command-and-Control (C2, C&C) server of the operation. It also is equipped with an overlay mechanism that displays a fake page designed to appear identical to the legitimate application that Copybara is posing as. Infosec researchers stated in a report that they have identified Copybara masquerading as an application from a variety of Italian institutions.
More recent Copybara variants carry additional threatening modules and APK that further expand the capabilities of the threat. The malware can deploy an external module that is capable of Accessibility event logging, a crucial step allowing the attackers to have full control and visibility of the UI elements on the device. It also makes it possible for the attackers to have access to a specific keylogging mechanism. In general, the threat and its additional modules can be used to monitor SMS communication, retrieve 2FA tokens and more.