{
	"id": "56e72cf1-9563-4faa-bccc-619198aaf0de",
	"created_at": "2026-04-06T00:13:47.38277Z",
	"updated_at": "2026-04-10T03:20:18.085464Z",
	"deleted_at": null,
	"sha1_hash": "5d9ce6cd0520ac7c8aef83fae3d898046bcee1b0",
	"title": "Technical Analysis of Copybara | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87448,
	"plain_text": "Technical Analysis of Copybara | ThreatLabz\r\nBy Ruchna Nigam\r\nPublished: 2024-08-21 · Archived: 2026-04-05 14:49:39 UTC\r\nUpon launching the application, the user is shown an attacker-defined message screen asking the user to enable the\r\nAccessibility Service permission for the application, as shown in the figure below. The Accessibility Service is a legitimate\r\nfeature on Android phones to assist users with disabilities, however due to the inherent nature of the service, the feature may\r\nprovide a threat actor with highly granular control over a victim's phone if enabled. If Copybara is installed and not granted\r\nthe accessibility permission, the malware repeatedly shows notifications and toast messages (as shown in the figure below)\r\nto coerce the victim into enabling the service.\r\nFigure 3 : Example Copybara launch screen without the accessibility permission enabled.\r\nIf the service is enabled, the user is shown another attacker-defined screen, as shown in the figure below.\r\nFigure 4: Example screenshot of Copybara after the Accessibility Service feature is enabled.\r\nOnce the Accessibility Service feature is enabled, the application prevents the user from accessing some options in the\r\nSettings menu, ensuring they are unable to uninstall Copybara. In the background, the malware’s behavior is determined by\r\nits configuration. Copybara is designed to download a list of phishing pages from the C2 server. The Copybara C2 responds\r\nwith a ZIP file containing counterfeit login pages that mimic popular cryptocurrency exchanges and financial institutions.\r\nDuring our analysis, we discovered the existence of two operational C2 servers that were actively serving the phishing\r\npages.\r\nThe figure below shows an open directory of a live C2 server hosting Copybara phishing pages.\r\nFigure 5: Open directory of a live Copybara C2 server hosting phishing pages.\r\nThese phishing pages are designed to deceive unsuspecting users into entering their sensitive information. As depicted in the\r\nfigure below, an example of one such phishing page imitates a login page for a prominent cryptocurrency exchange.\r\nFigure 6: An example Copybara phishing page designed to look like a popular cryptocurrency exchange.\r\nFinally, the application initiates a connection to an MQTT server on port 52997. Copybara subscribes to a specific queue\r\nnamed  commands_FromPC on this server. This connection enables the application to listen for and receive various commands\r\nsent by the C2 server. \r\nThe specific commands and their descriptions are provided in the table below.\r\nCommand Functionality\r\nopen_app_setngs\r\nOpens Settings for the application (otherwise blocked for the user via the\r\nSettings menu).\r\nsend_admn_lckdvcs_on Checks if the device admin feature is enabled. If it is not enabled, the user is\r\nprompted to enter a new lock screen password. Subsequently, the malware\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 1 of 6\n\nproceeds to lock the device screen.\r\nsend_inj_lst\r\nThe malware receives a list of package and filenames associated with injects\r\nfrom the C2 server. If a file with a matching name already exists, the malware\r\nfirst deletes the existing file. Subsequently, it proceeds to download a new file\r\nfrom the C2 server. The downloaded file is then written to disk.\r\nsend_custom_opencam\r\nInitializes an MQTT connection to the C2 server and then starts the device’s\r\nrear camera.\r\nsend_custom_opencam2\r\nInitializes an MQTT connection to the C2 server and then starts the device’s\r\nfront camera.\r\nsend_custom_opencam_close Ends camera activity.\r\nsend_custom_fullbright Maximizes screen brightness.\r\nsend_custom_lowbright Minimizes screen brightness.\r\nsend_custom_openmics Transmits audio from the microphone to the C2 server.\r\nsend_custom_openmics_close Stops transmitting microphone audio to the C2 server.\r\nsend_custom_delallnoties Deletes all notifications from the victim’s device.\r\nsend_custom_donotdelallnoties Stops deleting notifications.\r\nsend_custom_pagebuilder\r\nCreates a custom view using settings from the  PB_Data object received from\r\nthe C2 server. The object contains parameters specifying field types and text\r\nspecifications to construct a custom webview on-the-fly.\r\nclickbyid\r\nClicks on the screen at the location specified by  gesclick , which is received\r\nfrom the C2 server.\r\ndel_my_dv_fm_admnpnl Closes the connection to the MQTT server and stops the background service.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 2 of 6\n\nSend_Open_Recents Shows an overview of recent applications.\r\ndownextraapp\r\nDownloads an application from an  appurl parameter provided by the C2\r\nserver, saves it under the filename  emptyapp.apk , and installs it.\r\nopenanyurl Opens a URL provided by the C2 server.\r\nRefrech_hvn_by_Noti Dismisses open notifications.\r\nGlobalParamsActions\r\nPerforms an action specified by the C2 server. The IDs specified by the C2\r\nserver correspond to the global actions provided by the Accessibility Service.\r\nEnable_Noti\r\nBased on the value of the  Action flag received from the server, the malware\r\ndismisses notifications.\r\nisAutoSystDalogClker\r\nBased on the value of the  Action flag received from the server, the malware\r\ntakes measures to restrict access to certain options in the Settings menu. This is\r\ndone to prevent the uninstallation of the malware by the user.\r\nRequest_TurnoffDeviceScreen_FromAndroid Turns off the screen capture feature on the victim’s device.\r\nSend_DeviceScreenShot_Permission\r\nStreams the screen activity of the infected device to the MQTT server. The\r\nstream is published to the MQTT server in a queue named  med .\r\nSend_Custom_LockScreen\r\nDownloads an image from the C2 server. The specific image name, referred to\r\nas  ImgName , is provided by the server. Once downloaded, the image is saved\r\nas a file named  locscreen.jpg . However, this functionality is not currently\r\nbeing utilized in the code.\r\nSend_LockScreen_Overlay Minimizes screen brightness and sets a black background.\r\nSend_LockScreen_Overlay_URL\r\nDisplays a webview that opens a specific URL provided by the server through\r\nthe  urllink parameter.\r\nSend_LockScreen_Overlay_CO Displays a webview containing HTML content that is determined by objects\r\nreceived from the server, such as  toptitle ,  bottomtitle , and  imgurl .\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 3 of 6\n\nThe  imgurl object can either be a local file path or the name of a URI located\r\non the server. In the case of a URI, it is fetched from the C2 server.\r\nSend_UnLockScreen_Overlay Removes an overlay from the screen.\r\nRequest_HVNC_TableTexts_FromAndroid\r\nSets a flag value based on the  isShowingOnlyTable parameter received from\r\nthe server. However, this functionality is not currently utilized in the code.\r\nSend_DeviceApps\r\nRetrieves a list of installed packages on the infected device and sends this\r\ninformation to the MQTT server by publishing it to a queue\r\ncalled  divap_topc .\r\nSend_KeyLo_Views\r\nEnables or disables the keylogger functionality based on the value of\r\nthe  IsKeyLo parameter received from the C2 server.\r\nSend_Click_FromPCToAndroidDevice\r\nCarries out a gesture on the screen based on the\r\nvalues  clickstartx ,  clickstarty ,  clickx , and  clicky which are\r\nprovided by the C2 server.\r\nSend_Text_FromPCToAndroidDevice\r\nSets the text value, as specified by the  textvalue parameter, to the currently\r\nfocused node on the screen (equivalent to injecting keystrokes).\r\nSend_Important_Views_Only\r\nSets a flag based on the value of the  isImportantViewsOnly parameter\r\nreceived from the C2 server. However, this flag is not currently utilized in the\r\ncode.\r\nFormatthisDevice Clears browser history and wipes data on the device.\r\nSend_CallPhoneNumber\r\nInitiates a phone call to a specific number provided by the C2 server through\r\nthe  phonenumber parameter.\r\nSend_Change_H_Quality\r\nAdjusts the image quality of screenshots sent to the C2 server based on the\r\nvalue provided by the  intqulaity parameter received from the C2 server.\r\nGet_Device_CallLogs\r\nPublishes contact information from the device to the MQTT server at a queue\r\nnamed  Device_Calls_Logs_Save .\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 4 of 6\n\nSend_GlobalAction_FromPCToAdroid\r\nExecutes an Accessibility Service action on the phone, depending on the value\r\nof the  Action parameter received from the C2 server.\r\nSend_ChangeVNCFPS\r\nAdjusts the frames per second (fps) value based on the  fpsdata parameter\r\nreceived from the C2 server. This adjustment is made when sending images to\r\nthe server.\r\nHide_AppData_Info\r\nHides or displays the application icon in the phone menu based on the value of\r\nthe  isshouldshow parameter received from the C2 server.\r\nSend_Wakeup_Device Disables the lock screen.\r\nSend_Request_Permissions\r\nRequests a specific permission based on the value of the  permission\r\nparameter received from the C2 server.\r\nSend_Open_CertainApp\r\nInitiates the launch of a specific application as indicated by the  apppackage\r\nparameter received from the C2 server.\r\nSend_Uninstall_CertainApp\r\nDeletes a specific application, as indicated by the  apppackage parameter\r\nreceived from the C2 server.\r\nSend_blocknoti_CertainApp\r\nEnables the blocking of notifications for a specific application as indicated by\r\nthe  apppackage parameter received from the C2 server.\r\nSend_Block_Certain_App\r\nBlocks the user from opening a specific application as indicated by\r\nthe  apppackage parameter received from the C2 server.\r\nSend_Swipe_Action_ACS\r\nPerforms a swipe action using the\r\nvalues  firstX ,  firstY ,  secondX ,  secondY , and  intSpeed provided by\r\nthe C2 server.\r\nSend_Swipe_wheel_Action_ACS\r\nPerforms a swipe action using the values for firstX, firstY, secondX, secondY,\r\nand intSpeed provided by the C2 server.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 5 of 6\n\nSend_fromtblclick_ACS\r\nPerforms a swipe action using the values\r\nfor  firstX ,  firstY ,  secondX ,  secondY , and  intSpeed provided by the\r\nC2 server.\r\nSend_Pattren_Action_ACS\r\nEnters a pattern using the values  firstX ,  firstY ,  secondX,   secondY ,\r\nand  intSpeed provided by the C2 server.\r\nSend_PZ_Action_ACS\r\nPerforms a gesture using the values\r\nfor  movx1 ,  movy1 ,  line1X ,  Line1Y ,  movx2 ,  movy2 ,  line2X ,  Line2Y ,\r\nand  intSpeed provided by the C2 server.\r\nSend_Create_Notification\r\nCreates a notification using the data received from the C2 server through the\r\nparameters  title ,  description ,  filename , and  pkgname . The\r\nfilename object is utilized to download an icon image from the C2 server.\r\nSend_Show_Pattren_Buttons\r\nSets a flag based on the value of the  IsPattren parameter received from the\r\nC2 server. However, this flag is not currently used in the code.\r\nSendSMS_To_Admin\r\nPublishes SMS messages collected from the infected device to the MQTT\r\nserver at a queue named  Send_SMS_To_Admin_From_Android .\r\ndel_SMS_FromAdmin\r\nDeletes a specific SMS from the phone as indicated by the  smsid parameter\r\nreceived from the server.\r\nSend_SMSMessage_ToNumber\r\nSends an SMS using the phone number and SMS body specified by\r\nthe  phonenumber and  SMSBody parameters received from the C2 server.\r\nAdmin_ConnectedToDevice Sends a heartbeat message to the C2 server.\r\nTable 1: Copybara commands and functionalities.\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-copybara\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-copybara"
	],
	"report_names": [
		"technical-analysis-copybara"
	],
	"threat_actors": [],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d9ce6cd0520ac7c8aef83fae3d898046bcee1b0.pdf",
		"text": "https://archive.orkl.eu/5d9ce6cd0520ac7c8aef83fae3d898046bcee1b0.txt",
		"img": "https://archive.orkl.eu/5d9ce6cd0520ac7c8aef83fae3d898046bcee1b0.jpg"
	}
}