David García Sep 21, 2021 3 min read

Coper: Use of Phishing Injections (Overlays) and the Log of Accessibility Events (Keylogging)

In July, a new family of banking malware for Android mobile devices was detected. 

Although the trojan uses the image of a Colombian bank, which suggests that its main target is Colombian users, the list of affected entities includes banks from the rest of the world, especially European ones (Spanish, Italian, British, etc.).


As we can see in the previous image, this trojan includes the logo of the bank's legitimate application that it impersonates, although the name does not correspond to the original.


This year, 2021, is the year of banking malware for Android, because after Toddler, Flubot and Oscorp; Coper is the fourth banker for Android that emerged this year.

It's possible that more will appear in what remains of the year, so it's very important to keep an eye out to detect them and protect users as quickly as possible.

The theft of credentials is carried out through phishing injections (overlays) and the logging of accessibility events (keylogging). However, it stands out for its packing process, for which it uses a native library that decrypts, loads and executes the final payload of the banker.

Download the full report here.


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.