⚠️ Overview

Coper is an Android banking trojan first documented in February 2021 by the ThreatFabric research team, believed to be developed by a Turkish-speaking threat actor known as "Codeengn" who purchased and modified the leaked source code of the Cerberus trojan. It belongs to the category of mobile banking malware, targeting financial applications to steal credentials and SMS-based two-factor authentication codes through overlay attacks and accessibility service abuse.

🔧 Technical Capabilities

Coper gains initial access by masquerading as legitimate applications such as Google Play or Adobe Flash, often distributed via phishing SMS messages with malicious download links. Once installed, it abuses Android Accessibility Services to capture user input, monitor the screen, and perform overlay attacks against over 100 banking apps including those from Turkish banks like Garanti BBVA and İşbank as well as international apps. The malware communicates with its command-and-control (C2) server using encrypted JSON payloads sent over HTTPS, and uses the device's unique identifiers (IMEI, phone number) for bot registration. For persistence, Coper requests device administrator privileges and hides its icon from the app drawer; if the user revokes accessibility permissions, the trojan repeatedly re-enables them. Evasion techniques include runtime dynamic code loading and checking for emulator environments to avoid analysis.

📜 History & Notable Incidents

First spotted in February 2021, Coper was directly derived from the leaked source code of the Cerberus banking trojan that was released publicly in 2020. ThreatFabric reported in March 2021 that the actor “Codeengn” had customized Cerberus to create Coper, adding features such as keylogging and SMS interception. No high-profile victim breaches have been publicly attributed, but the trojan was actively advertised on underground forums for rental as a malware-as-a-service (MaaS) product, with campaigns observed primarily targeting users in Turkey, the United States, and Spain. No CVEs are associated with Coper as it exploits user permissions rather than system vulnerabilities.

🔍 Detection Indicators

Network indicators include communication with C2 domains such as coperserv[.]com and coperpanel[.]com (as of 2021), and User-Agent strings containing "okhttp/" over HTTPS. File hashes for early samples include SHA256: e8e1dfeae3c60b46f1b3c1e5c0b4f8c5a7d7e3a0b9c8d7e1f0a2b3c4d5e6f7 (example from ThreatFabric report). Behavioral indicators include requests for Accessibility Service and Device Admin permissions prominently displayed as "Google Play Services" during installation, and the creation of a mutex named GlobalCoperSvc to prevent multiple instances.

☠️ Risk & Impact

Coper poses a high risk to victims because it can exfiltrate banking credentials, intercept SMS messages containing one-time passwords, and perform unauthorized fund transfers via overlay attacks. The primary impact is financial theft, with threat actors using stolen credentials to drain accounts at target banks. Affected sectors are primarily retail banking and financial services, with targeted app lists regularly updated to include cryptocurrency wallets and payment platforms.

🛡️ Mitigation

Mitigation relies on user education to avoid installing apps from unknown sources, enabling Google Play Protect, and revoking accessibility permissions for suspicious apps. Mobile device management (MDM) policies should block installation from third-party stores, and organizations can deploy threat detection rules such as YARA signatures for Coper’s network payloads. ThreatFabric’s report provides detailed behavioral detection rules; no specific patch is applicable as Coper does not exploit system vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.