Play Store App Serves Coper Via GitHub
We at K7 Labs recently came across this twitter post about Coper, a banking Trojan. The main infection vector of Coper was found on the official Google Play Store where it posed as UniFile manager – PDF viewer app with 10,000+ downloads as shown in Figure 1.
Figure 1: UniFile manager – PDF viewer from Google Play Store
Once launched, this app requests the user to enable unknown apps source as shown in Figure 2.
Figure 2: Enable unknown apps source popup
When the user enables “Allow from this source”, this application downloads malicious Coper malware file com.lastcarn_PlayMarket.apk and saves it to the device download folder as PlayMarketUpdate.apk.
From the ADB Logcat report we noticed that the malware file “com.lastcarn_PlayMarket.apk” gets downloaded from a GitHub repository as shown in Figure 3.
Figure 3: ADB Logcat shows malware sample download URL
Figure 4 shows that the repository was created by Johmeffer. At the time of writing this blog the GitHub repository was still live.
Figure 4: GitHub repository where the malware sample was hosted
In this blog, we will be analyzing the package “com.lastcarn” corresponding to the com.lastcarn_PlayMarket.apk which has been downloaded from the above mentioned GitHub repository as shown in Figure 5.
Figure 5: Malicious APK downloaded from GitHub
Once the Coper malware is installed on the device, the app disguises itself as a “Play Market” which frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user eventually allows this app to have the Accessibility Service enabled.
Figure 6: Request for Accessibility Service
Once the permissions are granted, this malicious apk decrypts the malicious payload file called “cermb” from the app’s assets folder to an executable dex format named ‘cermb.dex’ and loads the decrypted file as shown in Figure 7.
Figure 7: The logcat image shows the cermb.dex file execution at runtime
String Decryption
To evade detection, all the strings within the class, cermb.dex are encrypted with RC4 key “Pyae9UJ8swZDJz2KI“. Figure 8 shows the decryption routine used by the malware.
Figure 8: Decryption routine
The Trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as per the bot command “EXC_SMSRCV” as shown in Figure 9.
Figure 9: Intercept SMS messages
After abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal the victims’ keystroke information from the device.
Figure 10: Keylogger functionality
Figure 11 shows the hard-coded C2 domains embedded in Coper malware.
Figure 11: Encrypted and Decrypted C2 Domains
The list of Bot commands used by Coper malware are
- bot_smarts_ver
- close_activity_injects
- injects_delay
- keylogger_delay
- keylogger_enabled
- last_keylog_send
- lock_on
- smart_inject
- smarts_attempts
- sms
- uninstall_apps
- url
- vnc_start
- vnc_stop
- write_settings
- EXC_SMSRCV
At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product and devices updated and patched for the latest vulnerabilities to stay safe from such threats.
IoCs
Package NameHashDetection Namecom.readerall.yanersliteC41D025AE669F65A3E89C50C80587AF8 Trojan ( 0001140e1 )com.lastcarn3ACD48E20CDC01D9F5A9BC760077F938Trojan ( 005572801 )Cermb.dex6301EC14BD42288212694C2A9B63D2ABTrojan ( 0059e6071 )
C2
https://countnatbt[.]site/YWRhZjAxNGM1YjFh/
https://mix3etbt[.]website/YWRhZjAxNGM1YjFh/
https://btcountates[.]fun/YWRhZjAxNGM1YjFh/
https://3countbt[.]pw/YWRhZjAxNGM1YjFh/
https://vat-app[.]su/YWRhZjAxNGM1YjFh/
https://alleggro[.]pw/YWRhZjAxNGM1YjFh/
https://raw[.]githubusercontent[.]com/johmeffer/bpm/main/com.lastcarn_PlayMarket.apk
https://github[.]com/alinamslnkv/561/commits?author=alinamslnkv
MITRE ATT&CK
TacticsTechniquesDefense EvasionApplication Discovery,
Obfuscated Files or InformationCredential AccessCapture SMS Messages,
Access Stored Application DataDiscoverySystem Network Configuration Discovery,
Application Discovery,
System Information DiscoveryCollectionScreen Capture,
Capture SMS Messages,
Access Stored Application Data
Comments
Post a Comment