For the last months we have been tracking the Coper Android banking trojan (also known as Octo in the darkweb forums). This malware caught our attention given it is extremely widespread, even though it seems to focus on Japanese, US and European targets.

During our analysis we discovered that one of the reasons for the success of this malware is the incredibly aggressive distribution vector, including malicious ads campaigns, using github/discord for malware hosting but also compromising governmental websites, which was a surprising finding. In addition, we have full statistics on malware’s geographical distribution and evolution, thanks to VirusTotal´s telemetry.

In this presentation we will also uncover all malware’s technical capabilities, including keylogging, PIN authentication interception and webinjects. We will provide all needed technical details on how to uncover the encrypted malware payload hoping this will be helpful for the whole security community.

As a final note, we believe Android banking trojans might be having a more serious impact than initially considered, that’s why we believe it is important to share this investigation with a broader audience.