SHA1:
- d689039c533ad29dfe7dc16b94a8966d79181ea7
Description
A trojan application for the Android operating system, which is a component of the Android.BankBot.Coper.1 banking trojan. It represents an executable dex file, whose main purpose is to obtain a number of system privileges and install another trojan module that performs the main malicious actions.Operating routine
When launched by the Android.BankBot.Coper.1 dropper, the Android.BankBot.Coper.2.origin module gains access to Accessibility Services, disables the Google Play Protect protection mechanism built into the Android operating system and allows application installation from unknown sources. Next, it automatically installs a trojan apk package (Android.BankBot.Coper.2) that contains the main malicious component. It then grants it access to Accessibility Services. With that, it tries to protect this component and itself from being uninstalled. To do so, Android.BankBot.Coper.2.origin tracks the following events:
- openings of the Google Play Protect page in the Play Market app
- user attempts to change the device administrators list
- user access to the trojan’s information page of the system list of installed apps
- user attempts to change the trojan’s rights to access the Accessibility Services functions
If any of these events are detected, the trojan returns the victim to the home screen, simulating the user pressing the home button. And if the trojan detects an attempt to delete it or the main component, the trojan simulates the user pressing the back button. If the primary malicious component is ultimately deleted, the trojan will reinstall it.
More details on Android.BankBot.Coper.1