We at K7 Labs recently came across this twitter post about Coper, a banking Trojan. The main infection vector of Coper was found on the official Google Play Store where it posed as UniFile manager – PDF viewer app with 10,000+ downloads as shown in Figure 1.

Figure 1:  UniFile manager – PDF viewer from Google Play Store

Once launched, this app requests the user to enable unknown apps source as shown in Figure 2.

Figure 2: Enable unknown apps source popup

When the user enables “Allow from this source”, this application downloads malicious Coper malware file com.lastcarn_PlayMarket.apk and saves it to the device download folder as PlayMarketUpdate.apk.

From the ADB Logcat report we noticed that the malware file “com.lastcarn_PlayMarket.apk” gets downloaded from a GitHub repository as shown in Figure 3.

Figure 3: ADB Logcat shows malware sample download URL

Figure 4 shows that the repository was created by Johmeffer. At the time of writing this blog the GitHub repository was still live.

Figure 4: GitHub repository where the malware sample was hosted

In this blog, we will be analyzing the package “com.lastcarn” corresponding to the com.lastcarn_PlayMarket.apk which has been downloaded from the above mentioned GitHub repository as shown in Figure 5.

Figure 5: Malicious APK downloaded from GitHub

Once the Coper malware is installed on the device, the app disguises itself as a “Play Market” which frequently brings up the Accessibility Service setting option on the device, as shown in Figure 6, until the user eventually allows this app to have the Accessibility Service enabled.

Figure 6: Request for Accessibility Service

Once the permissions are granted, this malicious apk decrypts the malicious payload file called “cermb” from the app’s assets folder to an executable dex format named ‘cermb.dex’ and loads the decrypted file as shown in Figure 7.

Figure 7: The logcat image shows the cermb.dex file execution at runtime

String Decryption

To evade detection, all the strings within the class, cermb.dex are encrypted with RC4 key “Pyae9UJ8swZDJz2KI“. Figure 8 shows the decryption routine used by the malware.

Figure 8:  Decryption routine

The Trojan then attempts to intercept SMS messages and aborts the new SMSReceived broadcast to the victim; as per the bot command “EXC_SMSRCV” as shown in Figure 9.

Figure 9: Intercept SMS messages

After abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal the victims’ keystroke information from the device.

Figure 10:  Keylogger functionality

Figure 11 shows the hard-coded C2 domains embedded in Coper malware.

Figure 11: Encrypted and Decrypted C2 Domains

The list of Bot commands used by Coper malware are

  • bot_smarts_ver
  • close_activity_injects
  • injects_delay
  • keylogger_delay
  • keylogger_enabled
  • last_keylog_send
  • lock_on
  • smart_inject
  • smarts_attempts
  • sms
  • uninstall_apps
  • url
  • vnc_start
  • vnc_stop
  • write_settings

At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and scan your devices with it. Also keep your security product and devices updated and patched for the latest vulnerabilities to stay safe from such threats.


Package  NameHashDetection Name
com.readerall.yanersliteC41D025AE669F65A3E89C50C80587AF8 Trojan ( 0001140e1 )
com.lastcarn3ACD48E20CDC01D9F5A9BC760077F938Trojan ( 005572801 )
Cermb.dex6301EC14BD42288212694C2A9B63D2ABTrojan ( 0059e6071 )




Defense EvasionApplication Discovery,
Obfuscated Files or Information
Credential AccessCapture SMS Messages,
Access Stored Application Data
DiscoverySystem Network Configuration Discovery,
Application Discovery,
System Information Discovery
CollectionScreen Capture,
Capture SMS Messages,
Access Stored Application Data

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Play Store App Serves Coper Via GitHub”