{
	"id": "c571ca0b-f3b0-4b8c-a862-6b7bb13a4c45",
	"created_at": "2026-04-06T00:22:15.624425Z",
	"updated_at": "2026-04-10T03:21:54.815172Z",
	"deleted_at": null,
	"sha1_hash": "0e97ebb80f8b7a931e828d5b9beae06df73c04e0",
	"title": "On-Device Fraud on the rise: exposing a recent Copybara fraud campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4604536,
	"plain_text": "On-Device Fraud on the rise: exposing a recent Copybara fraud\r\ncampaign\r\nBy Francesco Iubatti, Federico Valentini\r\nArchived: 2026-04-02 12:38:11 UTC\r\nExecutive summary\r\nIn 2023, Account Takeover (ATO) was confirmed to be among the most harmful types of fraud for online banking\r\ncustomers. At Cleafy, we have seen that 90% of fraud attempts are still conducted via Account Takeover, and\r\nour forecasts expect this number to stay flat in 2024. Banks and financial institutions have always been the highest\r\npriority targets of ATO attacks, as cybercriminals aim to make immediate financial gains from their illegal\r\nactivities.\r\nAn intricate and growing threat is On-Device Fraud (ODF). This fraud presents a multifaceted challenge for anti-fraud teams within the banking sector, as it involves fraudulent activities initiated directly through the victim's\r\ndevice. Unlike traditional methods of fraud, ODF reduces the presence of conspicuous risk indicators during\r\nbrowsing sessions, rendering conventional anti-fraud countermeasures largely ineffective.\r\nThis emerging threat has been made possible through the capabilities afforded by over 80% of modern Android\r\nbanking trojans such as Vultur, TeaBot, and SpyNote. At the core of this capability lies the concept of remote\r\ncontrol, which enables Threat Actors (TAs) to execute ODF scenarios. Each malware family executing remote\r\ncontrol functionality may employ distinct implementation flavours, reflecting the varying skills and knowledge of\r\nthe developers behind them.\r\nReaders must understand that the challenge posed by ODF extends far beyond a single banking trojan like\r\nCopybara, the focus of this report. Our findings underscore the broader scope of this threat landscape, as we have\r\ntraced the entire fraud chain orchestrated by responsible TAs. This investigation will give readers the full spectrum\r\nof their tactics, techniques, and procedures (TTPs), from the initial Social Engineering components (such as\r\nphishing and vishing) used to initiate the attack to the distribution of Copybara for device infection and the\r\nmeticulous management of these attack phases to ensure the success of their campaigns.\r\nKey Points\r\nFrom the end of 2023 to the first weeks of 2024, we intercepted an ongoing banking fraud campaign\r\nagainst UK, Spain, and Italy.\r\nThreat Actors (TAs) behind this campaign adopted a hybrid approach, including Social Engineering\r\ntechniques (smishing/vishing) and malware components to perform unauthorised banking transfers (via\r\nInstant Payments) to a well-organized network of bank accounts (money mule).\r\nTAs have been caught using a structured way of managing all the ongoing phishing campaigns via a\r\ncentralised web panel known as “Mr. Robots”. With this panel, TA can enable and manage multiple\r\nphishing campaigns (against different financial institutions) based on their needs.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 1 of 17\n\nSuppose a victim appears using an Android device. In this case, TAs will try to install an Android banking\r\ntrojan known as Copybara with the help of Social Engineering.\r\nCopybara presents all the functionalities for performing On-Device Fraud (ODF), and initiating\r\nunauthorised money transfers directly on the victim's device. With the ODF approach, TAs have\r\nsignificantly enhanced their ability to process fraudulent transactions, rendering conventional anti-fraud\r\ncountermeasures largely ineffective.\r\nTTPs\r\nThe following table represents a summary of the TTP behind Copybara campaigns:\r\nCopybara Fraud Operation Overview\r\nThe following diagram provides a high-level overview of the technical components involved in TA fraud\r\noperations.\r\nFigure 1 – Copybara fraud operation\r\nOn top of this fraud operation architecture, TAs exploit Social Engineering techniques for distributing the\r\nCopybara banking trojan, which typically involves smishing and vishing techniques, leveraging native-speaker\r\noperators. In particular, several samples reveal TAs distributing Copybara through seemingly legitimate apps,\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 2 of 17\n\nutilizing logos of well-known banks and names that sound authentic, such as “Caixa Sign Nueva”, “BBVA\r\nCodigo”, “Sabadell Codigo”.\r\nAccording to data retrieved during our investigation:\r\nTAs leverage a dedicated web panel to manage all the active phishing websites and adequately distribute\r\nthe malware to potential victims. According to the logo on the login page, this panel has been named “Mr.\r\nRobot”.  \r\nTAs abuse the Reverse Proxy service offered by Cloudflare to mask the actual location of their servers and\r\nguarantee more protection against DDOS attacks and takedown requests.\r\nNot all active domains present a phishing kit for a specific banking institution; some appear to be deployed\r\nonly for serving Copybara samples (.apk). It is possible that TAs already have valid data on potential\r\nvictims (e.g., personal details, phone numbers, login information) coming from previous phishing\r\ncampaigns.\r\nTAs are interested in 3 countries: Spain, Italy, and the UK.\r\nWhat is a Phishing kit?\r\nPhishing has evolved into a sophisticated art form in cybercrime, leveraging deceptive tactics to trick individuals\r\ninto revealing sensitive information. Nowadays, many successful phishing campaigns leverage tools called\r\n\"phishing kits.\" These kits are pre-packaged sets of malicious tools and resources meticulously crafted by TAs to\r\nstreamline and amplify their fraudulent activities.\r\nA phishing kit is a collection of malicious assets and scripts designed to replicate legitimate websites, often\r\nmimicking the login pages of banks, financial institutions, or other trusted platforms. These kits are constructed to\r\ndeceive unsuspecting victims into divulging confidential information such as usernames, passwords, and phone\r\nnumbers.\r\nThe deployment of phishing kits serves several purposes for cybercriminals engaged in fraudulent activities,\r\nespecially those centered around banking fraud:\r\nEase of Use: Phishing kits simplify setting up malicious websites, allowing even less technically skilled\r\nTAs to conduct sophisticated cyber attacks.\r\nSpeed and Efficiency: With pre-configured templates and scripts, TAs can rapidly deploy phishing\r\ncampaigns, maximising the volume of potential victims.\r\nConcealment: By mimicking legitimate sites, phishing kits help TAs avoid detection by blending into the\r\nvast sea of genuine online traffic.\r\nCustomisation: TAs can tailor phishing kits to target specific organisations or demographics, enhancing the\r\nchances of success in their fraudulent endeavours.\r\nIntroducing Mr. Robot: a C2 Framework for phishing campaigns\r\nOur investigations unveiled an additional C2 framework dubbed \"Mr. Robot\". The name “Mr. Robot” has been\r\ntaken according to the logo present on the login page of the web panel.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 3 of 17\n\nFigure 2 – Mr. Robot panel - login page\r\nWhat sets this C2 framework apart is its capability to handle multiple phishing campaigns concurrently. It allows\r\nTAs to orchestrate tailored attacks on distinct financial institutions simultaneously. Each phishing campaign,\r\nequipped with unique phishing kits, is designed to mirror the targeted bank's online interface.\r\nFigure 3 – Mr. Robot - Phishing Campaigns Overview\r\nAccording to the source code of Mr. Robot C2, the authors decided to leave a standard database, such as MySQL,\r\nto store only some of the fraudulent data collected during their campaigns. Instead, their approach was based on\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 4 of 17\n\nthe usage of SleekDB, a NoSQL database implementation using pure PHP that stores data in plain JSON files, as\r\nshown in the following Figure.\r\nFigure 4 – Mr. Robot C2 - Usage of SleekDB for data storage\r\nThe consequences of this approach are crucial since all the data appears to be saved in plain text, in JSON format,\r\nand inside the web server. Data can be easily accessible without authentication if the path is known.\r\nFigure 5 – Mr. Robot - Exfiltrating active domains\r\nDespite these weaknesses encountered during our analysis, TAs deployed several layers of countermeasures\r\nagainst web crawling and scraping techniques, widely typically adopted by cybersecurity firms and vendors. The\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 5 of 17\n\nfollowing paragraph will explore how TAs try to evade detection and domain takedown actions.\r\nMr. Robots: Anti-detection techniques\r\nNowadays, multiple Threat Intelligence vendors have embraced proactive measures to identify phishing websites,\r\nnewly registered and, in specific contexts, soon-to-be activated. On the other hand, TAs put effort into developing\r\nevasion techniques to avoid a quick detection of a newly registered phishing domain.\r\nTypically, modern phishing kits adopt multiple anti-detection techniques, including:\r\nGeofencing checks\r\nDevice fingerprinting\r\nBlackisting specific ASN and/or network ranges\r\nAbuse of legitimate services, such as CDN and reverse-proxy, for masking the actual location of the web\r\nserver\r\nDynamic content generation\r\nThe following Figure summarises all the primary anti-evasion techniques adopted, starting when a potential new\r\nvictim follows a malicious link set up by TAs.\r\nFigure 6 – Mr. Robot - Anti-evasion techniques\r\nSince the primary focus of this fraudulent campaign is the clientele of retail banking institutions from specific\r\ngeographical areas (Italy, Spain, and the UK), filtering out all the connections except the ones coming from a\r\nmobile device is a pretty standard technique adopted by various TAs. Most individuals nowadays engage in home\r\nbanking activities through their mobile devices, making them lucrative targets for TAs.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 6 of 17\n\nFigure 7 – Mr. Robot - Filtering HTTP connections\r\nIf all the checks are successfully passed, the originating connection will be considered “a potential new victim”, so\r\nthe phishing login page can be shown accordingly.\r\nAs shown, TAs adopted a dynamic routine to extract all the necessary files for their phishing attempt at run-time.\r\nWith this method, each victim will be redirected to a specific subfolder and randomly named where the phishing\r\nkit has been extracted.\r\nFigure 8 – Mr. Robot - Dynamic extraction of the phishing kit\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 7 of 17\n\nThe following is an example of an active phishing kit leveraged by this TA, which is composed of three simple\r\nsteps:\r\nExfiltrate the valid credentials and the associated phone number;\r\nExfiltrate a valid name and an estimation of the bank account’s balance;\r\nDisplay a fake message to the victims after data exfiltration.\r\nFigure 9 – Mr. Robot - Phishing kit steps\r\nAll the collected data are usually sent back to a dedicated Telegram group, if set, and stored on their C2 panel.\r\nFrom here, operators can easily manage all victims' data inserted in the current phishing page.\r\nThe next step is a vishing approach to the victims. Fraud operators leverage native speakers to get a direct\r\nconnection via phone, typically spoofing a valid number of the targeted banking institution and introducing them\r\nas an anti-fraud / security team.\r\nAccording to their panel, a dropdown menu has been created to help fraud operators keep track of the state of each\r\nvictim:\r\n“Da chiamare”: not called yet [yellow box]\r\n“Fatto”: already called [green box]\r\n“Elimina”: cancel record [red box]\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 8 of 17\n\nFigure 10 – Mr. Robot - Control panel with victims' details\r\nExploring Copybara botnet and features\r\nIntroduction\r\nIn this section, we provide a tour of the main features of the Copybara botnet, starting from the functionalities\r\noffered through the associated C2 (Command and Control) web panel.\r\nIn botnet operations, C2 web panels provide attackers with a centralised interface to manage and control\r\ncompromised devices. These panels are pivotal components in the infrastructure of botnets, offering attackers a\r\nrange of functionalities to execute and oversee their malicious activities.\r\nFurthermore, web panels facilitate data collection from compromised devices, including system information and\r\ncredentials, enabling analysis and exploitation for further malicious activities. Lastly, botnet controllers leverage\r\nweb control panels to monitor the health and performance of their botnet, tracking the number of active bots and\r\ntheir geographic distribution.\r\nUnderstanding the capabilities and functionalities of web control panels is crucial for comprehending the threat\r\nlandscape posed by botnet operations. Analysts can gain deeper insights into attacker tactics, techniques, and\r\nprocedures (TTPs) by dissecting these components, enhancing their ability to effectively mitigate and counteract\r\nsuch threats.\r\nOverview of C2 panel and functionalities\r\nCopybara leverages a C2 panel named “JOKER RAT”. Starting from its dashboard, the panel displays the list of\r\nall the infected devices and their geographical distribution over a map, with the feature called “Live MAP”, as\r\nshown in the following Figure 11.\r\nFigure 11 – Copybara Dashboard (Live MAP)\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 9 of 17\n\nThis dashboard can also retrieve basic information about the infected devices, such as the device name, OS\r\nversion, and IP address. With this data, TAs can easily “triage” the infected devices by country or determine which\r\nvictim is online/offline. A “notification mechanism” is also triggered whenever a new device is infected.\r\nAs shown in the following Figure 12, for each infected device inside the panel, TAs can perform different actions,\r\nin particular:\r\nSilent Connect: This is the main feature of the panel that allows the TAs to control remotely and interact in\r\nreal-time with the victim's infected device (VNC).\r\nInject: injecting the overlay page to steal the banking/crypto credentials (Overlay attacks).\r\nNotes: This feature is usually used by TAs to note down some information about the victim to be\r\ndefrauded.\r\nDelete: delete the infected device from the dashboard.\r\nFigure 12 – C2 panel with infected device\r\nWhen the “Silent Connect” button is clicked, a new page is opened, and TAs can collect additional data and\r\nperform fraudulent actions on the infected device.\r\nIn the Android banking trojan context, this feature is also known as VNC, which enables the attacker to view and\r\nmanipulate the screen of the compromised device remotely. This level of access allows them to carry out various\r\nfraudulent activities, including on-device frauds (ODF).\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 10 of 17\n\nFigure 13 – Copybara - “Silent connect” feature\r\nReal-time keylogging\r\nOnce the user accepts the Accessibility Service popup during the installation phases, the malware can record every\r\nactivity done by the user on the compromised device. The attacker can observe them in real time on the C2 panel.\r\nIn particular, the TAs can observe:\r\nThe list of applications installed on the infected device;\r\nWhich application uses the user and every action performed on them;\r\nAny text is written by the user.\r\nFigure 14 – Realtime credential gathering\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 11 of 17\n\nFigure 15 – Realtime credential gathering from keylogger tag\r\nOverlay attacks and SMS sniffer\r\nAnother way to steal the banking/crypto credentials is through the well-known overlay attack. In Figure 12, in\r\naddition to the “silent connect” button, TAs can use the “inject” button to show the overlay page to the infected\r\ndevice. Once TAs have received the list of the apps installed inside the victim device, they can upload the specific\r\noverlay page (composed of HTML, CSS, and Javascript code) to the “injections settings”, specifying the package\r\nname of the targeted app, as shown in Figure 16.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 12 of 17\n\nFigure 16 – Injections settings\r\nFurthermore, TAs can steal SMS messages using the “SMS RAT” capability, considering that some banks/crypto\r\napps use the SMS as a 2FA method to send the OTP code during the login phase or to approve a transaction. When\r\nan attacker presses the “SMS RAT” button (1), on the infected device appears a popup or a setting page\r\n(depending on the Android version) that asks the user to change the default SMS manager app (2) with the\r\nmalicious app (masqueraded behind the bank name/icon). In case of change, the TAs can receive all the SMS\r\nmessages (3) and automatically hide them on the infected device.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 13 of 17\n\nFigure 17 – Injections settings\r\nFake notifications\r\nAnother feature available inside the panel is the “Push Notification”, probably used to send to the infected devices\r\nfake push notifications that look like a bank notification to entice the user to open the bank's app in such a way\r\nthat the malware can steal credentials. As shown in Figure 18, TAs can customise the fake push notification with a\r\n“title”, a “description”, the package name of the app, and an icon.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 14 of 17\n\nFigure 18 – Push notification\r\nAPK builder\r\nTAs can access a specific section of the panel to create and customise malicious apps. As illustrated in Figure 19,\r\nTAs can select the names and package names for the app and specify the icon to be used. Based on past\r\ncampaigns, Copybara TAs typically opt for names and icons resembling those of Italian and Spanish banks, often\r\nincorporating terms like “Token” and “Sicuro/Seguro”.\r\nWithin the panel, TAs can further customise the APK file by:\r\nImplementing a specific Accessibility service popup to appear legitimate during the installation phases\r\nEncrypting the APK to evade detection\r\nInclude “web injects” files to execute overlay attacks\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 15 of 17\n\nFigure 19 – APK Builder\r\nConclusion\r\nThe emergence of On-Device Fraud (ODF) represents a significant and evolving threat within the realm of\r\nbanking fraud. Our investigation into a recent Copybara operation sheds light on the intricate tactics employed by\r\nTAs to compromise user devices and perpetrate fraudulent activities directly through familiar channels. Using\r\nremote control functionality embedded within modern Android banking trojans, such as Vultur, TeaBot, and\r\nSpyNote, perpetrators have effectively minimised detection by challenging traditional anti-fraud measures.\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 16 of 17\n\nStakeholders within the banking and cybersecurity sectors must recognise the gravity of ODF and its implications\r\nfor financial institutions and end-users. By understanding the complexities of these attacks and remaining vigilant\r\nagainst emerging threats, organisations can proactively mitigate risks and safeguard against potential losses. Our\r\nfindings underscore the necessity for continued collaboration, innovation, and adaptation in the ongoing fight\r\nagainst banking fraud.\r\nCollectively, we can work towards a more secure digital ecosystem for all through ongoing vigilance, robust\r\ndefences, and informed decision-making.\r\nAppendix 1: list of IoCs\r\nThe following table will summarize the list of all the commands found on Oscorp during the technical analysis:\r\nIoC Description\r\nproceder-al-modulo[.]com Phishing panel\r\ndescargar-e-instalar[.]com Phishing panel\r\nhaga-clic-inicie-sesion[.]com Phishing panel\r\nlink-dati[.]com Phishing panel\r\nnuova-app[.]com Phishing panel\r\nnuova-app-token[.]com Phishing panel\r\nenlace-datos[.]com Phishing panel\r\napp-nuova[.]com Phishing panel\r\ndescarga-aqui[.]com Phishing panel\r\n22483da70e998a316e9ac5b905b0fc9e Copybara APK\r\n176.124.32[.]39 C2 panel\r\nSource: https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nhttps://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign"
	],
	"report_names": [
		"on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0e97ebb80f8b7a931e828d5b9beae06df73c04e0.pdf",
		"text": "https://archive.orkl.eu/0e97ebb80f8b7a931e828d5b9beae06df73c04e0.txt",
		"img": "https://archive.orkl.eu/0e97ebb80f8b7a931e828d5b9beae06df73c04e0.jpg"
	}
}