Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Android.BankBot.Coper.2.origin

Added to the Dr.Web virus database: 2021-07-04

Virus description added:

SHA1:

  • d689039c533ad29dfe7dc16b94a8966d79181ea7

Description

A trojan application for the Android operating system, which is a component of the Android.BankBot.Coper.1 banking trojan. It represents an executable dex file, whose main purpose is to obtain a number of system privileges and install another trojan module that performs the main malicious actions.

Operating routine

When launched by the Android.BankBot.Coper.1 dropper, the Android.BankBot.Coper.2.origin module gains access to Accessibility Services, disables the Google Play Protect protection mechanism built into the Android operating system and allows application installation from unknown sources. Next, it automatically installs a trojan apk package (Android.BankBot.Coper.2) that contains the main malicious component. It then grants it access to Accessibility Services. With that, it tries to protect this component and itself from being uninstalled. To do so, Android.BankBot.Coper.2.origin tracks the following events:

  • openings of the Google Play Protect page in the Play Market app
  • user attempts to change the device administrators list
  • user access to the trojan’s information page of the system list of installed apps
  • user attempts to change the trojan’s rights to access the Accessibility Services functions

If any of these events are detected, the trojan returns the victim to the home screen, simulating the user pressing the home button. And if the trojan detects an attempt to delete it or the main component, the trojan simulates the user pressing the back button. If the primary malicious component is ultimately deleted, the trojan will reinstall it.

Indicators of compromise

More details on Android.BankBot.Coper.1

More details on Android.BankBot.Coper.2

News about the trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android