Skip to content

In recent weeks, cyber security researchers have found a concerning Android malware campaign dubbed “Copybara.” This campaign represents an escalating trend in on-device fraud, where malicious software directly compromises victims’ devices to facilitate unauthorised financial transactions.

Copybara’s Functionality

Copybara is an Android trojan that primarily spreads through malicious applications distributed via third-party app stores. Upon installation, the malware seeks to obtain device administrator privileges, granting it elevated control over the infected device. It then employs overlay attacks, displaying fraudulent login screens or prompts to trick users into divulging sensitive information.

The malware’s primary objective is to hijack legitimate financial applications and initiate unauthorised transactions, enabling cybercriminals to siphon funds directly from victims’ accounts or digital wallets.

Attack Vector and Techniques

Researchers have identified several stages in Copybara’s attack chain:

  1. Delivery: Malicious apps masquerading as legitimate offerings are distributed through third-party app stores.
  2. Persistence: The malware gains device administrator privileges for persistent access.
  3. Overlay Attacks: Fake login screens and prompts are displayed to harvest credentials and sensitive data.
  4. Application Hijacking: Legitimate financial apps are hijacked to initiate unauthorised transactions.
  5. Data Exfiltration: Stolen funds and sensitive data are exfiltrated to attacker-controlled servers.

Copybara’s operators have also been observed leveraging social engineering tactics, such as impersonating legitimate entities or services, to further deceive victims.

Copybara fraud operation | Image: Cleafy Labs

Mitigating the Threat

To reduce the risk of falling victim to Copybara and similar on-device fraud campaigns, users should:

  • Avoid downloading apps from untrusted third-party sources.
  • Exercise caution when granting permissions, especially device administrator privileges.
  • Keep devices updated with the latest security patches.
  • Consider installing reputable mobile phone/tablet security solutions to detect and prevent malware infections.
  • Regularly monitor bank and building society accounts for unauthorised activity.

If a device is suspected of being compromised, users should immediately change their login and security details, notify their banks for advice, and if necessary, seek professional assistance for device remediation.  When updating usernames and passwords for bank accounts, do not use the device suspected of being infected, do this on a different phone or laptop for example.

The Copybara campaign underscores the growing sophistication of mobile malware and the need for heightened vigilance and proactive security measures to protect against on-device fraud and other emerging threats.

Related links