Copybara, a persistent Android trojan since 2021, has recently evolved with a November 2023 update. Its extensive capabilities include keylogging, media recording, SMS hijacking, screen capturing, credential theft, and remote device control.
Often posing as popular financial apps, Copybara targets users in Italy and Spain, enticing them with phishing pages mimicking cryptocurrency exchanges and global institutions.
A new feature in the latest variant is the adoption of the MQTT protocol for secure communication with its command-and-control server.
The latest Copybara variant employs the MQTT protocol for communication with its C2 server, which is a lightweight protocol designed for resource-constrained devices and environments with limited bandwidth, like IoT contexts.
Developed using B4A, a legitimate Android app development framework, Copybara often impersonates well-known financial institutions in Italy and Spain, as seen in the logos it uses and also variants disguised as Google Chrome and an IPTV application, further highlighting its ability to mimic legitimate software.
The Copybara malware is a sophisticated Android banking Trojan that targets users through phishing pages and exploits the Accessibility Service to gain extensive control over victims’ devices.
Upon installation, Copybara aggressively prompts users to enable the Accessibility Service, which grants the malware the ability to manipulate various device functions and settings, including intercepting SMS messages, taking screenshots, and even locking the device.
Once enabled, Copybara downloads phishing pages from a C2 server designed to mimic legitimate financial institutions and cryptocurrency exchanges by luring victims into entering their sensitive information, which is subsequently transmitted to the C2 server.
Its capabilities extend beyond phishing and data theft, and can also receive commands from the C2 server, allowing it to perform actions such as locking the device, taking screenshots, and intercepting SMS messages.
Additionally, it can download and install other malicious applications, further expanding its capabilities and making it difficult to remove.
Copybara represents a significant threat to Android users, capable of stealing personal and financial information and causing significant financial loss. It is essential for Android users to be aware of the risks associated with malicious apps and to take precautions to protect their devices from such threats.
The malicious actors behind Copybara use phishing links (e.g., app-link.cc/agricole.apk) to trick victims into downloading fake apps with names similar to legitimate banking apps (e.g., BBVACodigo.apk, CaixaBankSignNueva.apk). Once installed, Copybara abuses Accessibility Services to gain control of the device and steal login credentials.
According to Zscaler ThreatLabz, malware also uses a variety of techniques like keylogging, audio/video recording, and SMS hijacking for further compromise.