Privacy News Xafecopy Malware Secretly Steals Money From Android Devices

L S

Level 5
Thread author
Verified
Well-known
Jul 16, 2014
215
In May 2017, Google announced there are more than 2 billion Android users worldwide, making it one of the most popular smartphone operating system. But that also makes it most vulnerable and a lucrative target for cyber criminals.

Recently, IT security researchers at Kaspersky have detected a new Android malware aiming at stealing personal and financial information of unsuspecting users around the world. Dubbed Xafecopy by researchers, the malware has infected 4,800 users in 47 countries with over 37.5 percent damage identified by researchers in India followed by Mexico, Turkey, and Russia.

The malware targets WAP billing payment method and steals money from a targeted devices without the knowledge of the victim. The malware is hidden in utility apps such as BatteryMaster and claims to save battery time, but in reality, once the app is installed it loads malicious code on the targeted device.

xafecopy-malware-secretly-steals-money-from-android-devices-2-576x1024.png

BatteryMaster app
From there, Xafecopy checks for websites with Wireless Application Protocol (WAP) billing feature and steals user money. The WAP billing is a type of mobile payment that charges fees directly to the user’s smartphone bill without the need of putting login credentials of card data. However, to bypass the ‘captcha’ system developed to protect users from theft and spams; the malware uses JavaScript files.

Furthermore, Xafecopy can also send SMS messages (most likely premium rate SMS), steal and delete incoming SMS messages.

Previously, Ztorg malware was found following similar tactics by using JavaScript files to by pass captcha.

Roman Unuchek, Senior Malware Analyst at Kaspersky Lab said that “WAP billing can be particularly vulnerable to so-called ‘clickjacking’ as it has a one-click feature that requires no user authorization. Our research suggests WAP billing attacks are on the rise. Xafecopy’s attacks targeted countries where this payment method is popular. The malware has also been detected with different modifications, such as the ability to text messages from a mobile device to Premium-rate phone numbers, and to delete incoming text messages to hide alerts from mobile network operators about stolen money.”

While users see a “Battery Master” interface the Trojan is trying to steal money

To protect yourself from this and other malware threats, Android users are advised not to download apps from third-party stores, do not install unnecessary apps and keep an eye on apps they download from Google Play Store since there are tons of malicious apps uploaded on the Store containing keyloggers logger and spyware.

Moreover, keep your devices updated, use a security software and scan your device on a daily basis.
 
Last edited by a moderator:

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
The definition of malware for Android looks quite loose at present.
A part of my brain seconds the argument that Android OS does not need any AV, especially when we have permissions management and we limit app sources to Play Store only. Unfortunately, permissions manager isn't usually used carefully and non-Play Store installations across some proportion of the billions of devices is huge
There have also been cases of spyware, keyloggers, adware making place to PlayStore (be it for sometime or for long). Some legit-looking apps may get clean-signal when being published while these can change their behavior and turn malicious/rogue some days after installation.
These may either change the app package installed in your device (without root, these may need user action.. but minute tricks can do wonders like stating that the app is installing an update) OR out of the blue ask for elevated permissions (like Device Admin / Usage Access / Screen Overlay) OR switch to contacting malicious servers after sometime to avoid suspicion and initial detection -- all these among the few known vectors besides malvertising.

All this can make one reconsider the definition of malware on Android and the future possibilities of minor to acute damage of data, privacy and money.
I am not sure how periodic checking by Play Protect can protect/prevent such instances.. hopefully it'll monitor such changes and add more strength to itself over the period of time!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top