Xafecopy Trojan is amalwaresoftware targeting theAndroid operating system, first identified in September 2017 bycybersecurity and antivirus providerKaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries.[1] Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.[2][3][4]
Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers.Malicious code is downloaded onto the device without the knowledge or consent of the user.[5] The app clicks on web pages that use theWireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypassCaptcha systems.[2][6]
Xafecopy has been found usingJavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.[7][8]
Xafecopy disguises itself as a useful app, often a battery optimizer.[9] It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over aGPRS or3G wireless connection and is based on the Ubsod family. It was detected byKaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user'sMSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.[10][2][11]
Xafecopy appears to use technology which bypassescaptcha systems.[2] According to Kaspersky Lab, it shares significant coding obtained from other significant malware.[12]
Modified versions of Xafecopy were also identified to have the capability of sendingSMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".[10]
It is also capable of switching a user fromWiFi connection to mobile data, asWAP billing works only when the user is connected to a mobile connection.[10]