Xafecopy Trojan
Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries.[1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.[2][3][4]
History
Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user.[5] The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems.[2][6]
Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.[7][8]
Operation
Xafecopy disguises itself as a useful app, often a battery optimizer.[9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.[10][2][11]
Xafecopy appears to use technology which bypasses captcha systems.[2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware.[12]
Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".[10]
It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection.[10]
See also
- Trojan horse (computing)
- WAP
References
- ^ "Xafecopy Trojan might be stealing money through your smartphone". The Mobile Indian. Retrieved 2017-10-20.
- ^ a b c d "New malware in India which steals money through mobile phones: Report – Times of India". The Times of India. Retrieved 10 September 2017.
- ^ "इस मैलवेयर से मोबाइल यूज़र्स को खतरा, इन ऐप से बनाएं दूरी– News18 हिंदी". News18 India. 10 September 2017. Retrieved 10 September 2017.
- ^ "New malware steals money through mobile phones, 40% targets in India: Report". 10 September 2017. Retrieved 10 September 2017.
- ^ PTI (10 September 2017). "New malware steals users' money through mobile phones: Kaspersky report". Retrieved 10 September 2017.
- ^ "New malware steals users' money through mobile phones: Report". The Economic Times. 10 September 2017. Retrieved 10 September 2017.
- ^ "Mobile malwar еби си майката September 2017".
- ^ "xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security". Retrieved 10 September 2017.
- ^ "В России обнаружена эпидемия четырех мобильных троянов". Retrieved 10 September 2017.
- ^ a b c Lab, Kaspersky. "Malware exploits WAP subscriptions to steal money". www.kaspersky.com. Retrieved 10 September 2017.
- ^ www.ETTelecom.com. "'Xafecopy' mobile malware detected in 40pct of India; looting victims through WAP billing – ET Telecom". ETTelecom.com. Retrieved 10 September 2017.
- ^ "Xafecopy Trojan, a new malware detected in India; it disguises itself as an app to steals money via mobile phones". Tech2. 10 September 2017. Retrieved 10 September 2017.
- v
- t
- e
← 2000s | Timeline | 2020s → |
persistent threats
- Bangladesh Black Hat Hackers
- Bureau 121
- Charming Kitten
- Cozy Bear
- Dark Basin
- DarkMatter
- Elfin Team
- Equation Group
- Fancy Bear
- GOSSIPGIRL (confederation)
- Guccifer 2.0
- Hacking Team
- Helix Kitten
- Iranian Cyber Army
- Lazarus Group (BlueNorOff) (AndAriel)
- NSO Group
- Numbered Panda
- PLA Unit 61398
- PLA Unit 61486
- PLATINUM
- Pranknet
- Red Apollo
- Rocket Kitten
- Stealth Falcon
- Syrian Electronic Army
- Tailored Access Operations
- The Shadow Brokers
- xDedic
- Yemen Cyber Army
publicly disclosed
- Evercookie (2010)
- iSeeYou (2013)
- Heartbleed (2014)
- Shellshock (2014)
- POODLE (2014)
- Rootpipe (2014)
- Row hammer (2014)
- SS7 vulnerabilities (2014)
- WinShock (2014)
- JASBUG (2015)
- Stagefright (2015)
- DROWN (2016)
- Badlock (2016)
- Dirty COW (2016)
- Cloudbleed (2017)
- Broadcom Wi-Fi (2017)
- EternalBlue (2017)
- DoublePulsar (2017)
- Silent Bob is Silent (2017)
- KRACK (2017)
- ROCA vulnerability (2017)
- BlueBorne (2017)
- Meltdown (2018)
- Spectre (2018)
- EFAIL (2018)
- Exactis (2018)
- Speculative Store Bypass (2018)
- Lazy FP state restore (2018)
- TLBleed (2018)
- SigSpoof (2018)
- Foreshadow (2018)
- Dragonblood (2019)
- Microarchitectural Data Sampling (2019)
- BlueKeep (2019)
- Kr00k (2019)
2010 |
|
---|---|
2011 | |
2012 | |
2013 | |
2014 | |
2015 | |
2016 | |
2017 |
|
2018 | |
2019 |
|