Xafecopy Trojan

From HandWiki
Short description: Malware software

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries.[1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.[2][3][4]

History

Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user.[5] The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems.[2][6]

Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.[7][8]

Operation

Xafecopy disguises itself as a useful app, often a battery optimizer.[9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.[10][2][11]

Xafecopy appears to use technology which bypasses captcha systems.[2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware.[12]

Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".[10]

It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection.[10]

See also

References

  1. "Xafecopy Trojan might be stealing money through your smartphone". The Mobile Indian. https://www.themobileindian.com/news/xafecopy-trojan-might-be-stealing-money-through-your-smartphone-19085. 
  2. 2.0 2.1 2.2 2.3 "New malware in India which steals money through mobile phones: Report – Times of India". http://timesofindia.indiatimes.com/india/new-malware-in-india-which-steals-money-through-mobile-phones-report/articleshow/60448682.cms. 
  3. "इस मैलवेयर से मोबाइल यूज़र्स को खतरा, इन ऐप से बनाएं दूरी– News18 हिंदी". 10 September 2017. https://hindi.news18.com/news/tech/xafecopy-trojan-malware-target-on-40-percent-indian-users-1104705.html. 
  4. "New malware steals money through mobile phones, 40% targets in India: Report". 10 September 2017. http://www.hindustantimes.com/tech/new-malware-steals-money-through-mobile-phones-40-targets-in-india-report/story-SBtu1KhmV7mMTwOkftKw4I.html. 
  5. PTI (10 September 2017). "New malware steals users' money through mobile phones: Kaspersky report". http://www.livemint.com/Technology/GS8qtvZPnk9qKlFctv6TeJ/New-malware-steals-users-money-through-mobile-phones-Kaspe.html. 
  6. "New malware steals users' money through mobile phones: Report". The Economic Times. 10 September 2017. http://economictimes.indiatimes.com/tech/internet/new-malware-steals-users-money-through-mobile-phones-report/articleshow/60448837.cms. 
  7. "Mobile malwar еби си майката September 2017". http://www.gadgetsnow.com/tech-news/mobile-malware-xafecopy-robs-victims-through-wap-billing-almost-40-of-targets-in-india/articleshow/60403089.cms. 
  8. "xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security". http://www.mathrubhumi.com/technology/mobiles/xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security-1.2227352. 
  9. "В России обнаружена эпидемия четырех мобильных троянов". https://news.rambler.ru/scitech/37743219-v-rossii-obnaruzhena-epidemiya-chetyreh-mobilnyh-troyanov/. 
  10. 10.0 10.1 10.2 Lab, Kaspersky. "Malware exploits WAP subscriptions to steal money". https://www.kaspersky.com/blog/wap-billing-trojans/18080/. 
  11. www.ETTelecom.com. "'Xafecopy' mobile malware detected in 40pct of India; looting victims through WAP billing – ET Telecom". http://telecom.economictimes.indiatimes.com/news/xafecopy-mobile-malware-detected-in-40pct-of-india-looting-victims-through-wap-billing/60408178. 
  12. "Xafecopy Trojan, a new malware detected in India; it disguises itself as an app to steals money via mobile phones". 10 September 2017. http://www.firstpost.com/tech/news-analysis/xafecopy-trojan-a-new-malware-detected-in-india-it-disguises-itself-as-an-app-to-steals-money-via-mobile-phones-4028709.html. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Xafecopy_Trojan&oldid=2230070"