The CoyBot Android Trojan which is a well-known threat in Brazil continues with its attacks against end users
The first campaigns were first detected in October 2018 and since then other campaigns have been occasionally reappeared. The latest activity has been analyzed in the several campaigns.
The Coybot Android Trojan is one of the well-known malware that is known to specifically target users in Brazil. It is also known under a different name “BasBanke Trojan” which is another way under which some security groups refer to it. It is designed by an unknown hacking group and due to the fact that samples are released sporadically means that work is being done on the code. This gives us the impression that at least a sizable part of it is targeted against certain companies or networks.
The Coybot Trojan is still focused on Android users and delivered in the following hacker-made packages:
- Atributos< (sforca.jyio.pele) — bf20ad4fcc9fb6910e481a199bb7da649bcd29dd91846692875a3a2c737b88d9
- GoogleSystem (gover.may.murder) — 585b675829dcab9f014d0a29861d8b7a77f41b249afc6009833436b95ccf6010
- SisParte (gover.may.murder) — 09bf981e5de5edaf39cc582a67f4f2561cba3e153f2ccf269514d839c73031f7
- AAABOBRA (gover.may.murder) — f83e570656943539fa934f2dd0a4fbaec8a4792bb2ed3701b0acf8c924556b9
It appears that the Coybot Android Trojan is infecting users via several distribution techniques. Apart from the usual uploading to various online repositories (commonly with stolen or fake developer credentials) the malware can be spread though various social engineering methods. This can include hacked or fake profiles that are operated by the criminal group. Common places where links to the virus files or the packages themselves can be spread include Facebook and WhatsApp. The hacking group has been found to hijack the typical design and layout of these web services and also craft similar looking ones in order to manipulate the victims into interacting with them.
Brazilian Coybot Android Trojan Operations
The current versions of the threat does not include a much different behavior pattern than previous infections. When it is installed on a given Android device it will first asks for appropriate permissions by a notification pop-up. If the users agree then a service will automatically be run in the background. It will be able to generate and show notifications and pop-ups, as well as interact with the system.
The next step will be to launch certain Trojan components. The first of which will be to tasked with monitoring active processes — both system ones and others that have been launched by the users. This process control allows the Cybot Trojan to hijack information or it will stop them from running. This is very dangerous as it can also manipulate fields in bank transactions and online payments which can redirect money to hacker-controlled bank accounts.
The Coybot Android Trojan is perfectly capable of hiding itself from security services by encrypting itself with a Base64 algorithm and only running what is required by decrypting it in real-time. This also hinders most of the automatic sample analysis engines. It will impersonate common Android activiti4es.
Like other common Trojans it will establish a secure connection with a hacker-controlled server and allow them to take over control of the machines. It can also deliver other malware including a Windows threat known as Pazera. The analyzed samples have been shown to also send out collected information about the users and the contaminated devices and machines.