{
	"id": "b2fe108e-71ce-486a-9e46-00bec7b1e6c2",
	"created_at": "2026-04-06T00:09:24.299174Z",
	"updated_at": "2026-04-10T13:12:20.877401Z",
	"deleted_at": null,
	"sha1_hash": "289ddd80f8062a2eb5d44ffe83f34ff9c44fd6a6",
	"title": "TOAD attacks: Vishing combined with Android banking malware now targeting Italian banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1240758,
	"plain_text": "TOAD attacks: Vishing combined with Android banking malware\r\nnow targeting Italian banks\r\nPublished: 2024-10-01 · Archived: 2026-04-05 17:41:54 UTC\r\nIntroduction\r\nOur Threat Intelligence (TI) shows that telephone-oriented attack delivery (TOAD) tactics are becoming\r\nincreasingly popular amongst fraudsters orchestrating Android banking malware campaigns. Recently, such case\r\nwas reported targeting customers of an Indian bank as spotted by MalwareHunterTeam.\r\nDuring one of our latest investigations, ThreatFabric’s analysts uncovered a network of phishing websites targeting\r\nItalian online-banking users and aiming to steal their banking credentials. Further research defined a connection\r\nbetween this network and the Android banking Trojan dubbed Copybara, that is involved in telephone-oriented\r\nattack delivery performed by the threat actors. Latest version of it introduced unique feature that allows to build and\r\nshow dynamic fake forms on the fly. With the increase in popularity of voice phishing (vishing) attacks, where\r\ncriminals coach victims into installing Android banking malware, we are entering a new era of hybrid fraud attacks.\r\nDespite the popularity of this technique, and the clear trend based on campaigns discovered, vishing used as\r\nmalware distribution tactic is currently not covered by MITRE mobile matrix.\r\nDiscovered campaign targeting Italy\r\nThe campaign discovered by our analysts is targeting multiple Italian banks and their customers. It involves\r\nmultiple phishing sites impersonating several Italian financial services and anti-fraud offices, as it can be seen on\r\nthe following screenshots:\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 1 of 9\n\nTo maintain and manage the large number of phishing pages used in these campaigns, the threat actor(s) used\r\nseveral phishing kits that are quite well-known in the underground scene. Such kits allow to easily create the\r\nphishing page, automatically register phishing domain names and create a short link for it to be used in distribution.\r\nBesides, they also provide a panel that allows to maintain all created websites and monitor their activity. Such panel\r\nis also provided as a service by one of the cybercriminal groups on the underground forum.\r\nAll phishing sites seen in the campaign request similar set of personal data: account number, PIN code, telephone\r\nnumber. Our team noticed that, in some cases, cybercriminals request victims to choose secret questions and\r\nanswers that were set during the registration process with the bank as second factor of authentication. Obviously,\r\ncollecting this data can help cybercriminals to get access to victim’s banking accounts.\r\nAfter submitting the data, victims are notified that a support operator will contact them soon (using the previously\r\ncollected phone number). At this point, the next step of the campaign takes place: the installation of Android\r\nbanking Trojan, with the help of the operator, as part of telephone-oriented attack delivery (TOAD). The threat\r\nactor calls victims and gives instructions to install the necessary “security” app on victim’s device.\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 2 of 9\n\nTelephone-oriented attack delivery threats involve direct call between cybercriminals (e.g., malicious call center)\r\nand a victim. During this call, the victim is being convinced and instructed to install some additional software on\r\nhis/her devices in order for threat actor to be able to perform some further fraud. The installed software can be\r\nlegitimate remote access tools that are used by cybercriminals to have a remote control over victim’s device.\r\nHowever, in some cases the victim is instructed to download and install some specific malicious software\r\ndeveloped or maintained by threat actors. This is the case for the campaign discovered by ThreatFabric analysts,\r\nwhich involves both phishing sites and subsequent TOAD with installation of Copybara Android banking Trojan.\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 3 of 9\n\nAs an entry point for cybercriminals, the victim is asked to install a downloader app that will download the actual\r\npayload. The payload then is installed as an update for the downloader, substituting it.\r\nHowever, the “security” app that is installed on the device is an Android Trojan, that ThreatFabric is tracking as\r\nCopybara. This malware family is also referred to as BRATA by some researchers. However, our threat intelligence\r\nshows that it is not related to original BRATA reported back in 2019 targeting Brazilian users. We uncovered\r\ndifferences between multiple families named BRATA in our blog.\r\nOur research also reveals the name of the threat used by the TAs: Joker. Coincidentally, this name is also used by\r\nanother Android malware family, usually distributed through Google Play, and which specializes in personal\r\ninformation stealing and Subscription services fraud. ThreatFabric can confirm that there is no connection with this\r\nmalware family and the one discussed in this blogpost, distributed via TOAD. To avoid confusion, we will refer to\r\nthis new malware family with the initial name that we assigned to it upon discovery, which is Copybara.\r\nCopybara: Ctrl+C, Ctrl+V, innovations\r\nFirst samples of Copybara seen by ThreatFabric date back to November, 2021. Despite the fact that it was referred\r\nas BRATA by other researchers, TF analysts were able to clearly define it as a separate family, despite using the\r\nsame framework for development. The name “Copybara” was given by our malware analysts is reference to TAs\r\ndevelopment process: Copybara’s code has a lot of parts directly copied and pasted from other publicly available\r\nmodules. Sometimes (like for example with Copybara’s downloader) the code is taken as-is with minor changes in\r\nvariables.\r\nHowever, such approach does not directly imply the weakness of the malware. Despite the code being messy and\r\nfull of non-active sections, the TAs managed to equip the Trojan with remote access capability, which tries to\r\nmasquerade itself as security udpate, while the criminals are performing actions on the infected device “behind the\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 4 of 9\n\ncurtains”. While the TA is connected to infected device, Copybara shows a fake overlay that is semi-transparent to\r\ncover the actions of the cyber criminals.\r\nIt allows actors to stay low and not drag attention of the victim while performing fraudulent actions within the\r\nbanking applications, using data previously stolen with phishing. Copybara’s RAT capabilities are powered by\r\nabusing the AccessibilityService: the C2 server sends a specific command/action to perform and Copybara handles\r\nit with the help of its Accessibility engine. TAs can open arbitrary apps, install additional ones, perform clicks and\r\nswipes, enter text to the text fields, etc.\r\nTF received reports that TA’s use Copybara’s ability to uninstall packages in order to remove the original banking\r\napp to leave the detection window as small as possible.\r\nAnother quite unique feature recently introduced by authors is the ability to dynamically build fake input forms and\r\nshow it to victims. Actors are able to specify arbitrary input fields, text labels, check boxes and collect even more\r\ndata from victims. At the moment these forms are quite simplistic, but the dynamic approach allows TAs to use full\r\npower of Android OS to build genuine-looking screens on-the-fly.\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 5 of 9\n\nThe full list of supported commands of Copybara is provided below.\r\nCommand Description\r\nSendMsg_changeloopsizefromadm not used anymore\r\nSend_OutgoingConnection Initialize new remote connection\r\npermclicked* Initiate request for various permissions\r\nclickondisableenablenoti Open app notifications settings\r\ngetdevicecalllogs Upload device contacts to the C2\r\nSendMsg_SendCallDivert Call to specified number\r\ngetdevicegpdata Send device specific data\r\nsendfaknotiinfo Create a notification with specified title and text\r\nwsh_setkeylogapp Specify the target for keylogging\r\nwsh_LoadKeyLogData Upload keylogging data to the C2\r\nSendMsg_ClickAddLockNewF Display new overlay\r\nSendMsg_ClickAddLockNewQRCode Display new overlay\r\nSendMsg_ClickBackButton Perform click on “Back” button\r\nSendMsg_ClickView Perform click by coordinates\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 6 of 9\n\nCommand Description\r\nSendMsg_ClickSwipe Perform swipe by coordinates\r\nSendMsg_OpenApp Start specified app\r\nSendMsg_SendTextToView Set specified text\r\nSendMsg_SendTextToViewFromKey Set specified text\r\nSendMsg_RefreshData Clear all notifications\r\nSendMsg_ClickHomeButton Perform click on “Home” button\r\nSendMsg_ClickRemoveLock Close overlay\r\nSendMsg_DisconnectFromB4J Close remote connection\r\nSendMsg_OpenRecentApps Open recent apps list\r\nSendMsg_formatdevice Perfom device formatting\r\nSendMsg_sendmesc Send screenshot to the C2\r\nSendMsg_closescreenshot Stop screencasting\r\nSendMsg_ClickAddLock Display overlay\r\nSendMsg_StartScrl Perform scroll\r\nSendMsg_Uninstallapp Uninstall specified app\r\nSendMsg_UninstallThisapp Uninstall itself\r\nSendMsg_DeleteApp Delete app from blocked list\r\nSendMsg_Blockapp Add app to blocked list\r\nSendMsg_DialNumber Call to specified number\r\nbuildtheform Dynamically build the activity\r\nSendMsg_USSDKeys Open activity for USSD request\r\nwsh_sendsmsmessages Send SMS messages\r\nSendMsg_SendSMSToNumber Send SMS to specified number\r\nwsh_WakeupPhone “Wake up” the device by sending clicks\r\ndowninstappp Download and install specified app\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 7 of 9\n\nNot only Copybara\r\nFurther investigation of the infrastructure utilized by the threat actor(s) reveals certain interesting ties to other\r\nTrojans. One of the campaigns involved SMS stealing Trojan. This piece of malware is quite simple in its\r\ncapabilities, only allowing the actors to get control over incoming messages: all the incoming SMS messages are\r\nuploaded to TAs server, thus allowing the TA to perform so-called “new device registration” fraud and log in with\r\nother channel (e.g. web) and intercept all OTPs sent by bank to validate login and further transactions.\r\nConclusion\r\nTelephone-oriented attack delivery (TOAD) cases are becoming a trend on the current mobile threat landscape.\r\nPersonal approach powered with social engineering techniques allow cybercriminals to trick unsuspicious victims\r\nand obtain installations of their Trojans with high likelyhood of success. Moreover, most of the cases end up\r\ninstalling some legitimate remote access tools that are not flagged/detected by antivirus engines.\r\nWe believe that such complicated cases involving threat actor - victim interaction should not be approached in a\r\nconventional, traditional way. Behaviour analytics powered by strong Threat Intelligence is a way to cope with such\r\nfraudulent activity as it provides additional indicators to detect suspicious activity.\r\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe \u0026 frictionless online customer journeys by integrating industry-leading mobile threat intel, behavioural analytics, advanced device fingerprinting and over 10.000 adaptive fraud\r\nindicators. This will give you and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 8 of 9\n\nCopybaraDropper Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\niSecurity com.app.applaunch20 4d9af2be2c55cf306391b10cc1c893f00205e5590c0f5b59e20e2d0b994cffdc\r\niSecurity com.app.applaunch 70842ada0a36eb9448797c4168bd46ac6d523cfccf6e53f79f8e40f2d5c1a257\r\nCopybara Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nBNL\r\nToken\r\ncom.apk.bnl.token 30b40d95bdd149ba5636de91b80aa60421d1d148032d65f9a8d4f36ef0e0de55\r\nBanca\r\nSicura\r\ncom.com.gruppoisp.app 7cc62bd300b83dab0d12045bb8a0f82bf80ac4c8885922f7156f1766b4cc5c7a\r\nSource: https://www.threatfabric.com/blogs/toad-fraud\r\nhttps://www.threatfabric.com/blogs/toad-fraud\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/toad-fraud"
	],
	"report_names": [
		"toad-fraud"
	],
	"threat_actors": [],
	"ts_created_at": 1775434164,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/289ddd80f8062a2eb5d44ffe83f34ff9c44fd6a6.pdf",
		"text": "https://archive.orkl.eu/289ddd80f8062a2eb5d44ffe83f34ff9c44fd6a6.txt",
		"img": "https://archive.orkl.eu/289ddd80f8062a2eb5d44ffe83f34ff9c44fd6a6.jpg"
	}
}