What is Copybara malware (Android)

Copybara malware is a Remote Access Trojan (RAT) that targets Android users. It has been active for several years now and mainly targets users in Italy and Spain. It’s a very dangerous piece of malware because it can allow its operators to steal sensitive information from the infected device.

 

 

Remote Access Trojans like Copybara are classified as very dangerous infections. Copybara can target Android devices all over the world but seems particularly focused on Spain and Italy, so users in these two countries are most at risk. The malware may also be used to target high-profile individuals and organizations. What makes Copybara such a dangerous infection is its wide range of features, from silently stealing files to encryption.

Once Copybara enters a device, it starts requesting permissions. It immediately requests that users give it permission to use Accessibility Services. This is a feature that helps users with certain disabilities to use their devices more conveniently. However, when this feature is abused, it essentially gives malware access to users’ devices. By abusing Accessibility Services, the malware can read screens, interact with the keyboard (e.g. record keystrokes), read notifications, etc.

Copybara has the capability to open and delete apps. It can also manage notifications, including hiding displayed notifications from certain apps, and can even delete them. It also is capable of recording the screen and audio, which would be a severe breach of privacy.

The malware can read and delete SMS messages, as well as send SMS to certain numbers. It can also make phone calls to certain numbers. This could be used to make the device call premium numbers that have expensive per-minute rates.

Another alarming feature that Copybara has is overlaying. The malware downloads fake pages from its Command & Control servers and overlays them on genuine apps. For example, if users try to access their online bank, an overlay screen will be displayed. If users type in their login credentials on this phishing overlay page, they would be immediately sent to the cybercriminals operating the trojan, allowing them access to users’ bank accounts.

The malware could also be used to encrypt files on the device, as well as lock down the device itself, allowing malicious actors to demand a ransom.

Overall, the Copybara malware is a very serious infection that can result in stolen and permanently lost data, identity theft, financial loss, privacy issues, etc.

How does Copybara malware (Android) enter the device?

The Copybara malware can be distributed in several different ways. First of all, Copybara malware may be disguised as legitimate apps on various third-party app stores and questionable download sites.

It could also be spread using phishing and social engineering attacks. This is how cybercriminals would spread it when they target a specific person/organization. If malicious actors can get access to personal information, the social engineering attacks could be very sophisticated and seem convincing. However, such sophisticated attacks are usually reserved for high-profile targets.

Like with all malware, it’s also possible to encounter Copybara RAT when downloading cracks and pirated content. Malware is very prevalent on various third-party app stores and dubious download sites as well.

How to protect yourself from Android malware

There are several ways you can protect your Android device from malware.

Research apps before downloading

It’s strongly recommended to always research apps before installing them, even if you’re planning on downloading them from a legitimate source. Always check the developer, read reviews, and inspect permission requests.

Use legitimate stores/platforms to download apps

To avoid installing questionable or malicious apps, use official stores and download platforms for apps. Third-party app stores often have poor security and are badly regulated, and this allows malicious actors to upload malicious apps. Google Play Store is the best place to download apps from. While the occasional malware does get past Google’s security, it happens very rarely.

Always carefully review requested permissions

Be very careful when giving permissions to apps. To protect yourself from malicious apps, do not blindly click “Allow” when a permission request appears. Always be skeptical about why a particular app would need the permissions it requests. For example, if you download a game and it requests permission to read your messages, make calls, etc., that should be an immediate red flag.

Keep your device up-to-date

Updates patch known vulnerabilities so it is important to install them. Otherwise, malicious actors may use those vulnerabilities to infect a device.

Do not click on unknown links or open unsolicited email attachments

You should be very careful with unsolicited SMS, emails, messages, etc., that have links or attachments. Do not click on unknown links, and remember, government agencies (e.g. law enforcement, tax agencies), banks, and other institutions do not send SMS messages with links in them. You should also never open unsolicited email attachments without double-checking them first. Scan them with an anti-virus program or VirusTotal.