There’s a new family of Android trojans circulating out there, unfortunately even finding their way into the Play Store, targeting mainly Colombian users for now. The set of the malicious apps was discovered by
researchers at Doctor Web, who have given it the name “Coper.” The apps feature a modular architecture and a multi-stage infection mechanism and also deploy several protective techniques to defend against detection and removal.
“Coper” apps pretend to be the official Android apps of Grupo Bancolombia, a large financial institution in the Latin American country. They mimic the genuine apps right to the icon and GUI level, but the lack of proper functionality is what secures their bad review scores on the Play Store.
Notably, they are still available on Android’s official app store as Google hasn’t removed them yet.
Upon installation, the trojan apps attempt to fetch the main malicious module. The fact that this module is missing from the core of the apps explains how they passed Play Protect checks. The app is actually decrypting and executing a dex file disguised as an HTML file, and at the same time, requests permission to the Accessibility Services. This ensures that the trojan will be able to serve the victim various false messages and overlays on the screen, click on buttons and links without requiring user interaction, and read the content of other apps.
