Xafecopy Trojan

Last updated

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. [1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico. [2] [3] [4]

Contents

History

Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user. [5] The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems. [2] [6]

Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs. [7] [8]

Operation

Xafecopy disguises itself as a useful app, often a battery optimizer. [9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services. [10] [2] [11]

Xafecopy appears to use technology which bypasses captcha systems. [2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware. [12]

Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription". [10]

It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection. [10]

See also

Related Research Articles

<span class="mw-page-title-main">Malware</span> Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses on the Internet. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a rate of 15% per year.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

Mobile banking is a service provided by a bank or other financial institution that allows its customers to conduct financial transactions remotely using a mobile device such as a smartphone or tablet. Unlike the related internet banking it uses software, usually called an app, provided by the financial institution for the purpose. Mobile banking is usually available on a 24-hour basis. Some financial institutions have restrictions on which accounts may be accessed through mobile banking, as well as a limit on the amount that can be transacted. Mobile banking is dependent on the availability of an internet or data connection to the mobile device.

This is a non-exhaustive list of notable antivirus and Internet Security software, in the form of comparison tables, according to their platform and their operating systems.

<span class="mw-page-title-main">Android (operating system)</span> Mobile operating system

Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. Android is developed by a consortium of developers known as the Open Handset Alliance and commercially sponsored by Google. It was unveiled in November 2007, with the first commercial Android device, the HTC Dream, being launched in September 2008.

<span class="mw-page-title-main">UC Browser</span> Chinese web browser developed by UCWeb Inc

UC Browser is a web browser developed by mobile internet company UCWeb, a subsidiary of the Alibaba Group. It was the most popular mobile browser in India and Indonesia, and the second most popular one in China as of 2017. Its world-wide browser share as of May 2022 is 0.86% overall according to StatCounter.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software; this approach scored a 23% success rate against Zeus in 2009 and still low rates in a 2011 report. The 2011 report concluded that additional measures on top of antivirus software were needed.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Google Play, also branded as the Google Play Store and formerly Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives as well as ChromeOS, allowing users to browse and download applications developed with the Android software development kit (SDK) and published through Google. Google Play has also served as a digital media store, offering games, music, books, movies, and television programs be. Content that has been purchased on Google Play Movies & TV and Google Play Books can be accessed on a web browser, and through the Android and iOS apps.

<span class="mw-page-title-main">Cheetah Mobile</span> Chinese mobile Internet company

Cheetah Mobile Inc (猎豹移动公司) is a Chinese mobile Internet company headquartered in Beijing. As of January 2017, it has more than 634 million monthly active users.

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious and unwanted software. The malware appears to have been discovered in September 2015 by the security research lab at Cheetah Mobile, who subsequently developed diagnostic software to determine whether a device has been compromised. As of September 2015, twenty variants were in circulation. Latter day versions employed routines which made them harder to detect and remove.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

GingerMaster is malware that affects Android operating system version 2.3. It was first detected in August 2011.

<span class="mw-page-title-main">Phone Companion</span>

Phone Companion is an app advertising and file transfer utility included with Windows 10 and available for Windows 10 Mobile. It provides a partial list of Microsoft apps that are available on Android, and Windows 10 Mobile. In order to use the Phone Companion, users must sign in with a Microsoft Account, which will sync installation progress across devices. It is now discontinued and replaced by the Phone Link app in October 2018 Update. Microsoft also confirmed that its Cortana digital assistant app will arrive for Android and iOS, having previously only been available for Windows devices.

CamScanner is a Chinese mobile app first released in 2011 that allows iOS and Android devices to be used as image scanners. It allows users to 'scan' documents and share the photo as either a JPEG or PDF. This app is available free of charge on the Google Play Store and the Apple App Store. The app is based on freemium model, with ad-supported free version and a premium version with additional functions.

References

  1. "Xafecopy Trojan might be stealing money through your smartphone". The Mobile Indian. Retrieved 2017-10-20.
  2. 1 2 3 4 "New malware in India which steals money through mobile phones: Report – Times of India". The Times of India . Retrieved 10 September 2017.
  3. "इस मैलवेयर से मोबाइल यूज़र्स को खतरा, इन ऐप से बनाएं दूरी– News18 हिंदी". News18 India. 10 September 2017. Retrieved 10 September 2017.
  4. "New malware steals money through mobile phones, 40% targets in India: Report". 10 September 2017. Retrieved 10 September 2017.
  5. PTI (10 September 2017). "New malware steals users' money through mobile phones: Kaspersky report" . Retrieved 10 September 2017.
  6. "New malware steals users' money through mobile phones: Report". The Economic Times. 10 September 2017. Retrieved 10 September 2017.
  7. "Mobile malwar еби си майката September 2017".
  8. "xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security" . Retrieved 10 September 2017.
  9. "В России обнаружена эпидемия четырех мобильных троянов" . Retrieved 10 September 2017.
  10. 1 2 3 Lab, Kaspersky. "Malware exploits WAP subscriptions to steal money". www.kaspersky.com. Retrieved 10 September 2017.
  11. www.ETTelecom.com. "'Xafecopy' mobile malware detected in 40pct of India; looting victims through WAP billing – ET Telecom". ETTelecom.com. Retrieved 10 September 2017.
  12. "Xafecopy Trojan, a new malware detected in India; it disguises itself as an app to steals money via mobile phones". Tech2. 10 September 2017. Retrieved 10 September 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.