Copybara is an Android trojan variant active since November 2023 that communicates with its C2 over MQTT, abuses the Android Accessibility Service to gain control, and downloads phishing pages impersonating financial institutions and cryptocurrency exchanges to steal credentials. It also features keylogging, audio/video recording, SMS hijacking, and screen capture, often impersonating legitimate apps to deceive users into entering credentials. #Copybara #MQTT #AccessibilityService #Phishing #Italy #CaixaBank #Mediobanca
Keypoints
- Copybara is an Android malware family dating back to 2021, with a new variant active since November 2023.
- The malware is primarily spread through voice phishing (vishing) attacks.
- It uses the MQTT protocol for communications with its C2 server.
- It abuses the Android Accessibility Service to gain granular control over infected devices.
- Copybara downloads phishing pages impersonating financial institutions and cryptocurrency exchanges to steal credentials.
- Capabilities include keylogging, audio & video recording, SMS hijacking, screen capture, and credential theft.
- Impersonation of popular apps and services helps deceive users into entering sensitive information.
MITRE Techniques
- [T1003] Credential Dumping – Copybara may attempt to steal user credentials by downloading phishing pages that mimic legitimate financial institutions. [‘Copybara may attempt to steal user credentials by downloading phishing pages that mimic legitimate financial institutions.’]
- [T1213] Data from Information Repositories – It retrieves sensitive information such as installed applications and device call logs. [‘It retrieves sensitive information such as installed applications and device call logs.’]
- [T1219] Remote Access Software – Utilizes MQTT for remote command execution and control over the infected device. [‘Utilizes MQTT for remote command execution and control over the infected device.’]
- [T1071] Application Layer Protocol – Communicates with its C2 server using the MQTT protocol. [‘Communicates with its C2 server using the MQTT protocol.’]
- [T1203] Exploitation of Vulnerability – Exploits the Accessibility Service feature to gain control over the device. [‘Exploits the Accessibility Service feature to gain control over the device.’]
Indicators of Compromise
- [Hash] Sample hashes – 01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f, 0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af, and many others
- [IP] C2 Server IPs – 146.103.41[.]28, 146.19.143[.]42, and 11+ more IPs
- [URL] Hosting URLs – app-link[.]cc/agricole.apk, app-token[.]cc/www.app-nueva.cc/app/BBVACodigo.apk, and many others
Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-copybara