{
	"id": "2f044d70-a37a-48f7-b320-692757ab4d45",
	"created_at": "2026-04-10T03:20:40.336497Z",
	"updated_at": "2026-04-10T03:22:18.169056Z",
	"deleted_at": null,
	"sha1_hash": "145eb0cb5930f9573037ff42e9bdcf13539be982",
	"title": "Cyble - Android Malware Posing as Google Play Store App Installer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1550049,
	"plain_text": "Cyble - Android Malware Posing as Google Play Store App\r\nInstaller\r\nBy cybleinc\r\nPublished: 2022-03-24 · Archived: 2026-04-10 02:32:33 UTC\r\nCyble Research Labs analyses the latest variant of the Coper Banking Trojan that is posing as a Google Play Store\r\ninstaller.\r\nDuring our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across\r\nvarious malware samples of Coper malware from a third-party intelligence website. Coper is linked to\r\nExoBotCompat, a revised version of Exobot Android malware.\r\nCoper malware apps are modular in design and include a multi-stage infection method and many defensive tactics\r\nto survive removal attempts. Coper malware was initially discovered targeting Colombian users around July 2021.\r\nNewer versions of the Coper Banking trojan have been observed targeting Android users in different countries\r\nacross Europe. They are anticipated to expand their scope to other regions in the future, targeting a variety of\r\nbanking apps worldwide.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThis type of malware is generally known for impersonating financial institution apps called Bancolombia\r\nPersonas. Newer versions of the Coper malware also started to adopt impersonating Utility apps.\r\nThe infection itself is broken down into two distinct phases. The first step is to install the fake app that the Threat\r\nActors (TAs) pass off as banking software. This app is nothing more than a dropper, and its sole purpose is to\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 1 of 14\n\ndisseminate and install the primary harmful module hidden within the malicious app.\r\nThe features in the current version of Coper malware are listed below: \r\nSend USSD requests\r\nSend SMS\r\nLock the device screen\r\nUnlock the device screen\r\nStart intercepting SMS\r\nStop intercepting SMS\r\nDisplay a push notification\r\nRe-display phishing window on top of the specified app\r\nRun a keylogger\r\nStop a keylogger\r\nUninstall applications specified in the command\r\nUninstall itself with the dropper app\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name:  Play Store app install\r\nPackage Name: com.theseeye5\r\nSHA256 Hash: 4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f\r\nFigure 1 shows the metadata information of an application.\r\nFigure 1 – App Metadata Information\r\nThe figure below shows the application icon impersonating the Google Play Store app displayed on the Android\r\ndevice.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 2 of 14\n\nFigure 2 – App Icon and Name\r\nManifest Description\r\nThe fake Play Store app asks for 32 permissions, of which the TA takes advantage of 12. The malware’s harmful\r\npermission requests are listed below:\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 3 of 14\n\nPermission Description\r\nREAD_PHONE_STATE  \r\nAllows the application to access the phone features of\r\nthe device\r\nADD_VOICEMAIL\r\nAllows an application to add voicemails into the\r\nsystem\r\nCALL_PHONE\r\nAllows the application to call phone numbers without\r\nyour intervention\r\nREAD_EXTERNAL_STORAGE  Allows an application to read from external storage.\r\nWRITE_EXTERNAL_STORAGE  Allows an application to write to external storage.\r\nWRITE_SETTINGS\r\nAllows an application to modify the system’s settings\r\ndata.\r\nCALL_PHONE  Perform call without user intervention\r\nREAD_SMS  Access user’s SMSs stored in the device \r\nRECEIVE_SMS  Fetch and process SMS messages \r\nSEND_SMS  Allows the app to send SMS messages \r\nSYSTEM_ALERT_WINDOW  Allows to display system alerts over other apps \r\nWe found the activity class that is initiated when the app is launched via the icon. This was determined by looking\r\nat the Android components declared in the Manifest file. Figure 3 depicts the declaration of this activity.\r\nFigure 3 – Launcher Activity\r\nIn addition to the launcher activity, the application’s Manifest file contains several receivers \u0026 services and the\r\napplication’s subclass.\r\nSource Code Review\r\nApart from the application’s subclass, the rest of the components identified from the Manifest file are missing.\r\nHence, we can infer that the application is packed.\r\n“com.theseeye5.KSNckdWjjyIXg” is the applications subclass initiated on launching the application. The\r\napplication loads its components from the library file upon analyzing the subclass, as shown below.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 4 of 14\n\nFigure 4 – Application’s Subclass loading library file\r\nThe project file browser can also be used for viewing the library file’s presence. libyvr.so is visible in the\r\nscreenshot below.\r\nFigure 5 – Library file in Project file representation\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 5 of 14\n\nUpon analyzing the “.so” file, the application acts as a dropper, which is the initial phase of the Coper malware\r\nthat drops and installs the malware’s primary harmful module hiding inside the victim’s Android device.\r\nAs seen in Figure 4, the file drops an encrypted.dex file. This file can be decrypted to reveal the Coper malware’s\r\nmalicious code, as shown below.\r\nFigure 6 – Decrypted Dex file\r\nUpon analyzing the decrypted.dex file, we were able to find the presence of missed Receivers, Services, and\r\nMainactivity of the application. Below, we have listed the malicious activities the application can perform:\r\nThe application uses the Device Administration API along with the DeviceAdminReceiver subclass to\r\nenable/disable device admin to the apps that users install on their devices.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 6 of 14\n\nFigure 7 – Enabling/Disabling Device Admin\r\nThe application can read all the incoming SMS messages from the infected device.\r\nFigure 8 – Reading Incoming SMS\r\nThe application’s entry point/launcher activity reads installed packages from the user’s device.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 7 of 14\n\nFigure 9 – Launcher activity of the malicious application\r\nThe malware reads the incoming notifications by verifying the packages and steals the messages from the\r\nnotification using Notification Listener Service.\r\nFigure 10 – Reads and cancels the notification using Notification Listener service\r\nLike other Banking Trojans, Coper malware requests users to enable the Accessibility Service to perform various\r\nAccessibility Event types to conduct malicious activities, as shown in the below figure.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 8 of 14\n\nFigure 11 – Accessibility Event Types\r\nThe malware maintains a connection with the C\u0026C server and queries it every minute. If the malware gets the\r\nrelevant instructions from the C\u0026C server, the time interval can be altered to ensure the malware gets sufficient\r\ntime to perform other malicious functionalities.\r\nCoper malware may also alter additional configuration parameters, as shown in Figure 12.\r\nFigure 12 – Timer Delay and Configuration Changes Performed by malware\r\nThe list of webinjects or applications for which malicious apps attempt to steal data were also identified. Coper\r\nmalware usually has a targeted list of applications in their remote server that prohibits them from running in the\r\ninfected device. Coper malware actively targets banking applications across Europe, Australia, and even parts of\r\nSouth America.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 9 of 14\n\nThe malware also receives commands from the TA through the C\u0026C URL hard coded within the app in encrypted\r\ntext. Figure 13 depicts the list of commands stored within the app in encrypted text.\r\nFigure 13 – Commands received from C\u0026C server\r\nThe list of commands used in Coper malware are given below:\r\nCommand Description\r\nussd Run a USSD request\r\nsms Send an SMS\r\nregister_again Dynamically registering a broadcast receiver\r\nlock_on \u0026 lock_off Lock/Unlock the device screen\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 10 of 14\n\nintercept_on \u0026 intercept_off Start/Stop intercepting SMS\r\nvnc_start \u0026 vnc_stop Start/Stop a VNC\r\npush Demonstrate a push notification\r\nrepeat_inject\r\nRe-display a phishing window on top of the targeted app’s\r\nwindow\r\nstart_keylogger \u0026\r\nstop_keylogger\r\nRun/Stop a Keylogger\r\nuninstall_apps Delete an application specified in the command\r\nkill_bot Delete itself and the dropper\r\nopen_url Launches the defined URL\r\nrun_app Run a defined package\r\nUpon further analysis, we were able to find the hardcoded additional Command and Control (C\u0026C) domains,\r\nwebinjects, and configuration data by the Malware author. The hard-coded C\u0026C domains and configuration data\r\nare shown below.\r\nFigure 14 – Additional C\u0026C domains and configuration data hardcoded by malware author\r\nDynamic C\u0026C servers:\r\nhxxps://s22231232fdnsjds[.]top/PArhFzp5sG2sN/\r\nhxxps://s32231232fdnsjds[.]top/PArhFzp5sG2sN/\r\nhxxps://s42231232fdnsjds[.]top/PArhFzp5sG2sN/\r\nCoper trojans have several defense measures. Controlling the integrity of the core malicious component is one of\r\nthem. The Copper malware will attempt to restore it if it is removed.\r\nCoper malware also has a secondary safety measure to monitor potentially harmful behavior to the trojan, such as:\r\nThe user trying to modify the device administrators’ list user access to the trojan’s information page from\r\nthe system’s list of installed apps.  \r\nThe user visiting the Google Play Protect page in the Play Store app.\r\nThe user changes the trojan’s access privileges for the Accessibility Services features.\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 11 of 14\n\nConclusion\r\nAccording to our research, Banking trojans no longer conduct assaults only based on overlay or using rented\r\nMobility as a Service (MaaS), as previously detected in numerous Banking Trojan malware variants.\r\nThis malware uses Virtual Network Computing (VNC) to initiate screen recording services by recognizing the\r\nforeground settings in the list of apps.\r\nFinancial institutions must strengthen their mobile-first approach and prepare for the challenges posed by this\r\nvirus by understanding the security landscape. This aim may be achieved by implementing a real-time threat-driven mobile security strategy.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow To Prevent Malware Infection?\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow To Identify Whether You Are Infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat To Do When You Are Infected?\r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData.\r\nPerform a factory reset.\r\nRemove the application in case a factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat To Do In Case Of Any Fraudulent Transaction?\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 12 of 14\n\nIn case of a fraudulent transaction, immediately report it to the concerned bank.\r\nWhat Should Banks Do To Protect Their Customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMS, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean\r\nDefense Evasion T1406 Obfuscated Files or Information\r\nInitial Access/Defense Evasion T1444 Masquerade as Legitimate Application\r\nCollection T1513 Screen Capture\r\nCollection\r\nT1412\r\nCapture SMS Messages\r\nCredential Access T1417 Input Capture (Keylogger)\r\nCommand and Control T1436 Commonly Used Ports\r\nIndicators Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f SHA256\r\nHash of the\r\nanalysed\r\nAPK file\r\n9b07766286667e6444c93e86d833a426a5d660f0 SHA1\r\nHash of the\r\nanalysed\r\nAPK file\r\n85b7a0e8cdee68bca806fc45948c2d82 MD5\r\nHash of the\r\nanalysed\r\nAPK file\r\nhxxps://s22231232fdnsjds[.]top/ URL\r\nC\u0026C\r\nservers\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 13 of 14\n\nhxxps://s32231232fdnsjds[.]top/ URL\r\nC\u0026C\r\nservers\r\nhxxps://s42231232fdnsjds[.]top URL\r\nC\u0026C\r\nservers\r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com. \r\nSource: https://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nhttps://blog.cyble.com/2022/03/24/coper-banking-trojan/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/03/24/coper-banking-trojan/"
	],
	"report_names": [
		"coper-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775791240,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/145eb0cb5930f9573037ff42e9bdcf13539be982.pdf",
		"text": "https://archive.orkl.eu/145eb0cb5930f9573037ff42e9bdcf13539be982.txt",
		"img": "https://archive.orkl.eu/145eb0cb5930f9573037ff42e9bdcf13539be982.jpg"
	}
}