{ "id": "92bcbc1f-02bf-4245-be7d-7569f899d30c", "created_at": "2026-04-06T00:18:25.69998Z", "updated_at": "2026-04-10T03:30:33.045544Z", "deleted_at": null, "sha1_hash": "508c8c35172d8b63364ccfc28cfa21cc4e6a0491", "title": "Play Store App Serves Coper Via GitHub", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1056546, "plain_text": "Play Store App Serves Coper Via GitHub\r\nPublished: 2023-02-08 · Archived: 2026-04-05 14:06:52 UTC\r\nWe at K7 Labs recently came across this twitter post about Coper, a banking Trojan. The main infection vector of\r\nCoper was found on the official Google Play Store where it posed as UniFile manager – PDF viewer app with\r\n10,000+ downloads as shown in Figure 1.\r\nFigure 1:  UniFile manager – PDF viewer from Google Play Store\r\nOnce launched, this app requests the user to enable unknown apps source as shown in Figure 2.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 1 of 8\n\nFigure 2: Enable unknown apps source popup\r\nWhen the user enables “Allow from this source”, this application downloads malicious Coper malware file\r\ncom.lastcarn_PlayMarket.apk and saves it to the device download folder as PlayMarketUpdate.apk.\r\nFrom the ADB Logcat report we noticed that the malware file “com.lastcarn_PlayMarket.apk” gets downloaded\r\nfrom a GitHub repository as shown in Figure 3.\r\nFigure 3: ADB Logcat shows malware sample download URL\r\nFigure 4 shows that the repository was created by Johmeffer. At the time of writing this blog the GitHub\r\nrepository was still live.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 2 of 8\n\nFigure 4: GitHub repository where the malware sample was hosted\r\nIn this blog, we will be analyzing the package “com.lastcarn” corresponding to the com.lastcarn_PlayMarket.apk\r\nwhich has been downloaded from the above mentioned GitHub repository as shown in Figure 5.\r\nFigure 5: Malicious APK downloaded from GitHub\r\nOnce the Coper malware is installed on the device, the app disguises itself as a “Play Market” which frequently\r\nbrings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user eventually\r\nallows this app to have the Accessibility Service enabled.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 3 of 8\n\nFigure 6: Request for Accessibility Service\r\nOnce the permissions are granted, this malicious apk decrypts the malicious payload file called “cermb” from the\r\napp’s assets folder to an executable dex format named ‘cermb.dex’ and loads the decrypted file as shown in Figure\r\n7.\r\nFigure 7: The logcat image shows the cermb.dex file execution at runtime\r\nString Decryption\r\nTo evade detection, all the strings within the class, cermb.dex are encrypted with RC4 key\r\n“Pyae9UJ8swZDJz2KI“. Figure 8 shows the decryption routine used by the malware.\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 4 of 8\n\nFigure 8:  Decryption routine\r\nThe Trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as\r\nper the bot command “EXC_SMSRCV” as shown in Figure 9.\r\nFigure 9: Intercept SMS messages\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 5 of 8\n\nAfter abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal the victims’ keystroke\r\ninformation from the device.\r\nFigure 10:  Keylogger functionality\r\nFigure 11 shows the hard-coded C2 domains embedded in Coper malware.\r\nFigure 11: Encrypted and Decrypted C2 Domains\r\nThe list of Bot commands used by Coper malware are\r\nbot_smarts_ver\r\nclose_activity_injects\r\ninjects_delay\r\nkeylogger_delay\r\nkeylogger_enabled\r\nlast_keylog_send\r\nlock_on\r\nsmart_inject\r\nsmarts_attempts\r\nsms\r\nuninstall_apps\r\nurl\r\nvnc_start\r\nvnc_stop\r\nwrite_settings\r\nEXC_SMSRCV\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product\r\nand devices updated and patched for the latest vulnerabilities to stay safe from such threats.\r\nIoCs\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 6 of 8\n\nPackage  Name Hash Detection Name\r\n     \r\ncom.readerall.yanerslite C41D025AE669F65A3E89C50C80587AF8 \r\nTrojan (\r\n0001140e1 )\r\ncom.lastcarn 3ACD48E20CDC01D9F5A9BC760077F938\r\nTrojan (\r\n005572801 )\r\nCermb.dex 6301EC14BD42288212694C2A9B63D2AB\r\nTrojan (\r\n0059e6071 )\r\nC2\r\nhttps://countnatbt[.]site/YWRhZjAxNGM1YjFh/\r\nhttps://mix3etbt[.]website/YWRhZjAxNGM1YjFh/\r\nhttps://btcountates[.]fun/YWRhZjAxNGM1YjFh/\r\nhttps://3countbt[.]pw/YWRhZjAxNGM1YjFh/\r\nhttps://vat-app[.]su/YWRhZjAxNGM1YjFh/\r\nhttps://alleggro[.]pw/YWRhZjAxNGM1YjFh/\r\nhttps://raw[.]githubusercontent[.]com/johmeffer/bpm/main/com.lastcarn_PlayMarket.apk\r\nhttps://github[.]com/alinamslnkv/561/commits?author=alinamslnkv\r\nMITRE ATT\u0026CK\r\nTactics Techniques\r\nDefense Evasion\r\nApplication Discovery,\r\nObfuscated Files or Information\r\nCredential Access\r\nCapture SMS Messages,\r\nAccess Stored Application Data\r\nDiscovery\r\nSystem Network Configuration Discovery,\r\nApplication Discovery,\r\nSystem Information Discovery\r\nCollection\r\nScreen Capture,\r\nCapture SMS Messages,\r\nAccess Stored Application Data\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 7 of 8\n\nSource: https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nhttps://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/" ], "report_names": [ "play-store-app-serves-coper-via-github" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/508c8c35172d8b63364ccfc28cfa21cc4e6a0491.pdf", "text": "https://archive.orkl.eu/508c8c35172d8b63364ccfc28cfa21cc4e6a0491.txt", "img": "https://archive.orkl.eu/508c8c35172d8b63364ccfc28cfa21cc4e6a0491.jpg" } }