Xafecopy Trojan

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

History
Xafecopy was first discovered by Kaspersky in 2017 when it infected thousands of android-based devices in India. The malware was reported to be embedded in a variety of apps, most commonly in battery optimizers. Malicious code is downloaded onto the device without the knowledge or consent of the user. The app clicks on web pages that use the Wireless Application Protocol (WAP) billing method, and Xafecopy subscribes the phone to a number of services which charge money directly to the user's mobile phone bill. The technology is also able to bypass Captcha systems.

Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.

Operation
Xafecopy disguises itself as a useful app, often a battery optimizer. It operates by clicking on web pages with WAP billing system which is a form of mobile payment system charged directly to the mobile bill. The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family. It was detected by Kaspersky Lab as Trojan-Clicker-AndroidOS.Xafekopy. Xafecopy receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.

Xafecopy appears to use technology which bypasses captcha systems. According to Kaspersky Lab, it shares significant coding obtained from other significant malware.

Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".

It is also capable of switching a user from WiFi connection to mobile data, as WAP billing works only when the user is connected to a mobile connection.