Xafecopy Trojan

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries.[1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.[2][3][4]

History

Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user.[5] The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems.[2][6]

Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.[7][8]

Operation

Xafecopy disguises itself as a useful app, often a battery optimizer.[9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.[10][2][11]

Xafecopy appears to use technology which bypasses captcha systems.[2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware.[12]

Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".[10]

It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection.[10]

See also

References

  1. "Xafecopy Trojan might be stealing money through your smartphone". The Mobile Indian. Retrieved 2017-10-20.
  2. "New malware in India which steals money through mobile phones: Report – Times of India". Retrieved 10 September 2017.
  3. "इस मैलवेयर से मोबाइल यूज़र्स को खतरा, इन ऐप से बनाएं दूरी– News18 हिंदी". News18 India. Retrieved 10 September 2017.
  4. "New malware steals money through mobile phones, 40% targets in India: Report". 10 September 2017. Retrieved 10 September 2017.
  5. PTI (10 September 2017). "New malware steals users' money through mobile phones: Kaspersky report". Retrieved 10 September 2017.
  6. "New malware steals users' money through mobile phones: Report". 10 September 2017. Retrieved 10 September 2017 via The Economic Times.
  7. "Mobile malwar еби си майката September 2017".
  8. "xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security". Retrieved 10 September 2017.
  9. "В России обнаружена эпидемия четырех мобильных троянов". Retrieved 10 September 2017.
  10. Lab, Kaspersky. "Malware exploits WAP subscriptions to steal money". www.kaspersky.com. Retrieved 10 September 2017.
  11. www.ETTelecom.com. "'Xafecopy' mobile malware detected in 40pct of India; looting victims through WAP billing – ET Telecom". ETTelecom.com. Retrieved 10 September 2017.
  12. "Xafecopy Trojan, a new malware detected in India; it disguises itself as an app to steals money via mobile phones". Tech2. Retrieved 10 September 2017.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.