Brazilian Coybot Android Trojan comes in wild again
The Coybat Android Trojan or also called BasBanke Trojan is a well-known Trojan infection that target Brazil users. It was first detected back in October 2018 and since then it has been appearing in various campaigns. It focuses Android users and delivered the following packages made by hackers behind it:
- GoogleSystem (gover.may.murder) — 585b675829dcab9f014d0a29861d8b7a77f41b249afc6009833436b95ccf6010
- AAABOBRA (gover.may.murder) — f83e570656943539fa934f2dd0a4fbaec8a4792bb2ed3701b0acf8c924556b9
- SisParte (gover.may.murder) — 09bf981e5de5edaf39cc582a67f4f2561cba3e153f2ccf269514d839c73031f7
- Atributos< (sforca.jyio.pele) — bf20ad4fcc9fb6910e481a199bb7da649bcd29dd91846692875a3a2c737b88d9
It appears that the hackers use various distribution techniques for the malware distribution. Apart from the usual uploading to various online repositories, the malware is distributed via scam email campaign in which hackers create some fake profile and offer virus to download embedded with a file format of any type including executables, archives, Ms Office, PDF documents and etc which is attached within an email. Short messages within this type of emails give the impression to the email legitimate and the attachments as some important document for download. Some other common places where such virus files or packages can be spread include Facebook and WhatsApp.
Working of Brazilian Coybot Android Trojan
Following to successful infiltration, Coybot Trojan firstly asks users for appropriate permissions by a pop-up enabling this allows the Trojan to activate with each OS reboot and run all the time on the background. The very next process is launching certain Trojan components that allow it to hijack information. This is dangerous as it can collect the bank transaction and online payments which can be redirected to hackers’ controlled bank accounts.
The Coybot hides it from security services by an encryption means – it encrypts itself by a base64 algorithm. Like other Trojans, it can connect remote command and control servers and allow them to take the complete control over the systems. It can deliver other malicious malware including a window threat named Pazara.