Threat Research

On-Device Fraud on the rise: exposing a recent Copybara fraud campaign

admin

Cleafy Labs analyzed a Copybara campaign that combined smishing/vishing social engineering, centralized phishing management via a “Mr. Robot” panel, and malicious APK distribution to perform on-device fraud against bank customers in Spain, Italy, and the UK. Attackers used Cloudflare reverse proxies, a JOKER RAT C2 for VNC-like remote control, overlay injections, Accessibility-based keylogging, and SMS interception to steal credentials and execute instant payments. #Copybara #MrRobot

Keypoints

  • Between late 2023 and early 2024, operators ran a targeted banking fraud campaign against customers in Spain, Italy, and the UK.
  • Attackers combined social engineering (smishing and vishing) with phishing kits and malicious Android APKs to deliver the Copybara trojan and enable on-device fraud (ODF).
  • A centralized control panel named “Mr. Robot” was used to manage multiple phishing campaigns, dynamically deploy phishing kits, and distribute APKs.
  • Infrastructure abuse included Cloudflare reverse proxies to mask server locations and dynamic extraction of phishing kits into randomized subfolders to evade takedowns.
  • Copybara’s C2 (JOKER RAT) supports VNC-like “Silent Connect”, real-time keylogging via abused Accessibility services, overlay/web-inject attacks, SMS interception (SMS RAT), push-notification spoofing, and an APK builder to craft evasive payloads.
  • Stolen data are pushed to Telegram groups and stored in the C2; some Mr. Robot instances use SleekDB to store JSON files in cleartext on the webserver.

MITRE Techniques

  • [T1566] Phishing – Use of SMS- and voice-based social engineering to distribute phishing pages and APKs (‘smishing and vishing techniques’).
  • [T1219] Remote Access Tools – Remote control (VNC-like) used to view and manipulate victims’ devices via the C2 ‘Silent Connect’ feature (‘Silent Connect: This is the main feature of the panel that allows the TAs to control remotely and interact in real-time with the victim’s infected device (VNC).’).
  • [T1056.001] Input Capture: Keylogging – Real-time capture of user input after Accessibility permission is granted (‘Once the user accepts the Accessibility Service popup during the installation phases, the malware can record every activity done by the user on the compromised device.’).
  • [T1548.003] Abuse Elevation Control Mechanism: Accessibility Features – Malware leverages a crafted Accessibility service popup to gain elevated input/interaction capabilities during install (‘implementing a specific Accessibility service popup to appear legitimate during the installation phases’).
  • [T1041] Exfiltration Over Command and Control Channel – Collected credentials and victim data are forwarded to a Telegram group and stored on the C2 panel (‘All the collected data are usually sent back to a dedicated Telegram group, if set, and stored on their C2 panel.’).
  • [T1090] Proxy – Use of Cloudflare reverse-proxy services to mask the location of infrastructure and resist takedown (‘TAs abuse the Reverse Proxy service offered by Cloudflare to mask the actual location of their servers’).

Indicators of Compromise

  • [Domain] Phishing panels / APK hosting – proceder-al-modulo[.]com, descargar-e-instalar[.]com, and 7 other domains used to host phishing pages or APKs.
  • [File hash] Copybara APK – 22483da70e998a316e9ac5b905b0fc9e (identified as a Copybara sample).
  • [IP address] C2 infrastructure – 176.124.32[.]39 (associated with the C2 panel).
  • [App name / fake app] Malicious APK naming patterns – examples used in distribution: “Caixa Sign Nueva”, “BBVA Codigo” (used to masquerade APKs and lure victims).

Operators initially lure targets via smishing/vishing that reference familiar bank branding, then redirect victims to dynamically generated phishing kits or directly offer APKs disguised as legitimate banking/token apps. The Mr. Robot control panel orchestrates campaign distribution, dynamically extracting phishing kits into randomized subfolders and filtering connections by device fingerprinting/geolocation to serve only likely mobile victims. Many phishing domains solely host APKs, suggesting prior harvesting of victim contact details to streamline targeted delivery.

When an Android device installs the Copybara APK (often built and customized via the JOKER RAT panel), the malware requests Accessibility privileges through a crafted popup to enable full interaction. With those privileges the operator can perform a “Silent Connect” (VNC-like remote control), observe installed apps and real-time input, deploy overlay (web-inject) pages tied to specific package names, and activate SMS RAT functionality to capture one-time codes by replacing the default SMS handler.

Exfiltration and orchestration follow a tight loop: stolen credentials and phone numbers are sent back to the C2 and optionally relayed into Telegram groups for operators; fraud operators then execute vishing calls (spoofing bank numbers) and use the C2 features—overlay injections, fake push notifications, and remote interactions—to complete unauthorized instant payments. Infrastructure protections include Cloudflare reverse proxies and runtime obfuscation/encryption of APKs, while some server-side data are exposed as plain JSON files in SleekDB on the Mr. Robot panels, increasing forensic visibility if accessed.

Read more: https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign