1/8 By Baran S February 8, 2023 Play Store App Serves Coper Via GitHub labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/ We at K7 Labs recently came across this twitter post about Coper, a banking Trojan. The main infection vector of Coper was found on the official Google Play Store where it posed as UniFile manager – PDF viewer app with 10,000+ downloads as shown in Figure 1. Figure 1:  UniFile manager – PDF viewer from Google Play Store Once launched, this app requests the user to enable unknown apps source as shown in Figure 2. https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/ https://twitter.com/Threatlabz/status/1617579712062324737 2/8 Figure 2: Enable unknown apps source popup When the user enables “Allow from this source”, this application downloads malicious Coper malware file com.lastcarn_PlayMarket.apk and saves it to the device download folder as PlayMarketUpdate.apk. From the ADB Logcat report we noticed that the malware file “com.lastcarn_PlayMarket.apk” gets downloaded from a GitHub repository as shown in Figure 3. 3/8 Figure 3: ADB Logcat shows malware sample download URL Figure 4 shows that the repository was created by Johmeffer. At the time of writing this blog the GitHub repository was still live. Figure 4: GitHub repository where the malware sample was hosted In this blog, we will be analyzing the package “com.lastcarn” corresponding to the com.lastcarn_PlayMarket.apk which has been downloaded from the above mentioned GitHub repository as shown in Figure 5. Figure 5: Malicious APK downloaded from GitHub 4/8 Once the Coper malware is installed on the device, the app disguises itself as a “Play Market” which frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user eventually allows this app to have the Accessibility Service enabled. Figure 6: Request for Accessibility Service Once the permissions are granted, this malicious apk decrypts the malicious payload file called “cermb” from the app’s assets folder to an executable dex format named ‘cermb.dex’ and loads the decrypted file as shown in Figure 7. Figure 7: The logcat image shows the cermb.dex file execution at runtime String Decryption To evade detection, all the strings within the class, cermb.dex are encrypted with RC4 key “Pyae9UJ8swZDJz2KI“. Figure 8 shows the decryption routine used by the malware. 5/8 Figure 8:  Decryption routine The Trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as per the bot command “EXC_SMSRCV” as shown in Figure 9. 6/8 Figure 9: Intercept SMS messages After abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal the victims’ keystroke information from the device. Figure 10:  Keylogger functionality Figure 11 shows the hard-coded C2 domains embedded in Coper malware. Figure 11: Encrypted and Decrypted C2 Domains The list of Bot commands used by Coper malware are 7/8 bot_smarts_ver close_activity_injects injects_delay keylogger_delay keylogger_enabled last_keylog_send lock_on smart_inject smarts_attempts sms uninstall_apps url vnc_start vnc_stop write_settings EXC_SMSRCV At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product and devices updated and patched for the latest vulnerabilities to stay safe from such threats. IoCs Package  Name Hash Detection Name com.readerall.yanerslite C41D025AE669F65A3E89C50C80587AF8  Trojan ( 0001140e1 ) com.lastcarn 3ACD48E20CDC01D9F5A9BC760077F938 Trojan ( 005572801 ) Cermb.dex 6301EC14BD42288212694C2A9B63D2AB Trojan ( 0059e6071 ) C2 https://countnatbt[.]site/YWRhZjAxNGM1YjFh/ https://mix3etbt[.]website/YWRhZjAxNGM1YjFh/ https://btcountates[.]fun/YWRhZjAxNGM1YjFh/ https://3countbt[.]pw/YWRhZjAxNGM1YjFh/ https://vat-app[.]su/YWRhZjAxNGM1YjFh/ 8/8 https://alleggro[.]pw/YWRhZjAxNGM1YjFh/ https://raw[.]githubusercontent[.]com/johmeffer/bpm/main/com.lastcarn_PlayMarket.apk https://github[.]com/alinamslnkv/561/commits?author=alinamslnkv MITRE ATT&CK Tactics Techniques Defense Evasion Application Discovery, Obfuscated Files or Information Credential Access Capture SMS Messages, Access Stored Application Data Discovery System Network Configuration Discovery, Application Discovery, System Information Discovery Collection Screen Capture, Capture SMS Messages, Access Stored Application Data