Xafecopy Android Malware Empties Bank Accounts

Written by

Bad actors are siphoning off funds from bank accounts using a new Android malware, dubbed Xafecopy.

According to Kaspersky Lab, most of the victims are in India (37.5%), but the malware has infected 4,800 users in 47 countries. Other large groups of victims are in Mexico, Turkey and Russia.

WAP—a forerunner of mobile internet capability—provides the ability to load text-based, specially crafted mobile websites via non-smart phones. While it’s almost never used anymore, Kaspersky noted that mobile carriers still support parts of the technology, including a billing feature that allows users to pay for something right on a website directly from their mobile accounts. Cyber-criminals are taking advantage of this by adding the ability to open web pages that have WAP billing to their malware; they can build in the ability to click buttons that initiate payments, all while the user suspects nothing.

“Malware that exploits WAP billing is less complicated than trojans that send premium-rate SMS messages,” John Snow, researcher at Kaspersky, said in a WAP billing blog. “Cyber-criminals do not even really have to teach their malware creations to gain the access they need for sending SMS messages; these Trojans are capable of staying under the radar and not asking for any special permissions such as access to Accessibility features.”

Kaspersky said  that these kinds of trojans started to appear more often than usual in Q2 2017.

“Xafekopy pretends to be a useful app, most often a battery optimizer for smartphones,” Snow said. “It looks quite convincing; nothing in its UI reveals its malicious nature. But it clicks through WAP-billing URLs as well as advertisement URLs—Trojan authors often implement several methods of gaining profit in their malware.”

Further, “You may realize that there is a WAP-billing Trojan-clicker residing on your mobile device only after noticing that all of the money in your mobile account is gone,” Snow said.

Android users should follow best practices, and not download apps from third-party stores, not install unnecessary apps and fully vet the apps they download from Google Play Store.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


What’s hot on Infosecurity Magazine?