SHA1:
- f2de6a855f04a0f5e0999c5b413347adaa1197e2
Description
The Android.BankBot.Coper.1.origin is a banking trojan for the Android operating system that targets Colombian users. It represents an executable dex file and is a component of the Android.BankBot.Coper.2 malicious application.
Operating routine
Upon launch, the Android.BankBot.Coper.1.origin conceals the icon of the Android.BankBot.Coper.2 parent app from the list of installed applications on the home screen and connects to the C&C server, registering the infected device. The trojan keeps the connection to the server, sending requests to it each minute. This time interval, however, can be changed if the trojan receives a corresponding command. Moreover, Android.BankBot.Coper.1.origin can also change other parameters of its configuration:
- response―various variants of server response. For instance, REG_SUCCESS or SMS_OK_. The former is received upon registering the infected device on the server, after which the trojan sets the true value in the is_registered field of the configuration. When the latter is received, the trojan deletes the contents of the intercepted SMS stored in the new_sms field
- injects_list―a list of targeted applications, whose windows will be overlaid by a phishing window upon launch
- extra_domains―a list of C&C servers
- block_push_apps―a list of programs whose push notifications will be blocked
- minimize_apps―a list of apps that the trojan will prevent from launching, returning the user to the home screen
- uninstall_apps―a list of apps to delete
- keylogger_enabled―launch a keylogger
Moreover, timers for various actions can also be set:
- block_push_delay;
- minimize_delay;
- uninstall_delay;
- keylogger_delay;
- injects_delay;
- net_delay.
The commands to execute malicious actions:
- ussd―run a USSD request
- sms―send an SMS
- lock_on―lock the device screen
- lock_off―unlock the device screen
- intercept_on―start intercepting SMS
- intercept_off―stop intercepting SMS
- push―demonstrate a push notification
- repeat_inject―re-display a phishing window on top of the targeted app’s window
- start_keylogger―run a keylogger
- stop_keylogger―stop a keylogger
- uninstall_apps―delete an application specified in the command
- kill_bot―delete itself and the dropper
Moreover, Android.BankBot.Coper.1.origin intercepts and sends the contents of all incoming push notifications to the C&C server.
The display of phishing windows is performed through the WebView with the contents received from the C&C server and loaded into it.
With that, all requests to the server and all received responses from it are encrypted with the AES algorithm and the 54569d2aaae7176335a67bf72e86736f key.
An example of the parameters sent to the C&C server upon the infected device registration:
- xc is a request type. For example, bR is a registration request. It can also have the bS value for sending SMS and the bP for other actions
- tA is a device IMEI number
- tB is a mobile number
- tC is a user country
- tD is a default system language
- tE is an OS version
- tF is a device model
- tG is a mobile carrier
- lA is a list of installed apps
- lB is a constant
- lL is a flag representing the presence of the installed dropper
- bI is an md5 fingerprint of the device
- iA is a getDefaultSmsPackage flag showing the trojan is a default SMS manager
- dA is a flag device_admin_set showing whether the trojan is a device administrator
- lK is a flag lock_on showing whether the device screen is locked
- iAc is a flag accessibility_enabled showing whether the trojan has access to Accessibility Services
- up is an uptime parameter
- kL is a flag keylogger_enabled showing whether the keylogger is running
Similar to Android.BankBot.Coper.2.origin, Android.BankBot.Coper.1.origin has a self-protection mechanism.
