Xafecopy Trojan Explained

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries.^[1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.^{[2] [3] [4]}

History

Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user.^[5] The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems.^{[2] [6]}

Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.^{[7] [8]}

Operation

Xafecopy disguises itself as a useful app, often a battery optimizer.^[9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.^{[10] [2] [11]}

Xafecopy appears to use technology which bypasses captcha systems.^[2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware.^[12]

Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".^[10]

It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection.^[10]

See also

• Trojan horse (computing)
• WAP

Notes and References

1. News: Xafecopy Trojan might be stealing money through your smartphone. The Mobile Indian. 2017-10-20.
2. Web site: New malware in India which steals money through mobile phones: Report – Times of India. . 10 September 2017.
3. Web site: इस मैलवेयर से मोबाइल यूज़र्स को खतरा, इन ऐप से बनाएं दूरी– News18 हिंदी. News18 India. 10 September 2017 . 10 September 2017.
4. Web site: New malware steals money through mobile phones, 40% targets in India: Report. 10 September 2017. 10 September 2017.
5. Web site: New malware steals users' money through mobile phones: Kaspersky report. PTI. 10 September 2017. 10 September 2017.
6. News: New malware steals users' money through mobile phones: Report. 10 September 2017. 10 September 2017. The Economic Times.
7. Web site: Mobile malwar еби си майката September 2017.
8. Web site: xafecopy-trojan-in-india-which-steals-money-through-mobile-phones-mobile-security. 10 September 2017.
9. Web site: В России обнаружена эпидемия четырех мобильных троянов. 10 September 2017.
10. Web site: Malware exploits WAP subscriptions to steal money. Kaspersky. Lab. www.kaspersky.com. 10 September 2017.
11. Web site: 'Xafecopy' mobile malware detected in 40pct of India; looting victims through WAP billing – ET Telecom. www.ETTelecom.com. ETTelecom.com. 10 September 2017.
12. Web site: Xafecopy Trojan, a new malware detected in India; it disguises itself as an app to steals money via mobile phones. Tech2. 10 September 2017 . 10 September 2017.