Copybara¶
Copybara is an Italian-focused Android banking trojan distributed primarily through Telephone-Oriented Attack Delivery (TOAD), where operators use voice phishing (vishing) to guide victims into installing the malware. Cleafy first identified the family in November 2021. ThreatFabric clarified its relationship to the broader BRATA ecosystem in mid-2022, establishing that Copybara, while sharing the B4A development framework with BRATA and AmexTroll, is a distinct family with its own codebase, C2 protocol, and operational focus. Later variants adopted the MQTT protocol for command-and-control, analyzed in depth by Zscaler ThreatLabz and ThreatFabric.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | November 2021 |
| Last Seen | Active (ongoing campaigns) |
| Status | Active, under continued development |
| Type | Banking trojan with On-Device Fraud (ODF) |
| Attribution | Unknown; operations concentrated against Italian financial sector |
| Aliases | CopyBara, BRATA variant (misattribution) |
| Development Tool | B4A (Basic4Android) framework |
| C2 Protocol | MQTT (latest variants), HTTP (earlier variants) |
Vendor Names¶
| Vendor | Name |
|---|---|
| Cleafy | Copybara |
| ThreatFabric | Copybara |
| Zscaler | Copybara |
| Kaspersky | HEUR:Trojan-Banker.AndroidOS.Copybara |
| ESET | Android/Spy.Banker.Copybara |
| Trend Micro | AndroidOS_Copybara |
| Dr.Web | Android.BankBot.Copybara |
| Malwarebytes | Android/Trojan.Banker.Copybara |
Origin and Lineage¶
ThreatFabric's "BRATA: a tale of three families" analysis resolved significant naming confusion in the security community. What researchers had collectively labeled "BRATA" was actually three separate families:
| Family | Relationship | Distinguishing Feature |
|---|---|---|
| BRATA | Original family | Brazilian origin, factory reset capability |
| AmexTroll | Related but distinct | Expanded to UK/Australian targets, "black overlay" technique |
| Copybara | Related but distinct | Italian focus, MQTT-based C2, TOAD distribution |
All three families share the B4A (Basic4Android) development framework, which became free in February 2020. ThreatFabric observed Copybara and AmexTroll being distributed simultaneously through different channels in the first half of 2022, confirming they are separate operations rather than sequential versions of the same malware. The families differ in code implementation, scope, and likely operators.
Copybara's evolution tracks from late 2021 through multiple updates. The November 2023 variant documented by Zscaler introduced MQTT-based C2 communication, replacing earlier HTTP protocols with a lightweight messaging protocol optimized for persistent bidirectional communication.
Distribution¶
Copybara's distribution is defined by TOAD: the combination of social engineering phishing with live voice calls to guide victims through installation.
| Vector | Details |
|---|---|
| Smishing | Initial contact via SMS spoofed to appear from the victim's bank, containing a link to a phishing page that collects contact details |
| Vishing (TOAD) | Attacker calls the victim, posing as bank support, and instructs them to download a "security application" |
| Fake banking apps | APKs disguised with legitimate bank logos and authentic-sounding names: "Caixa Sign Nueva," "BBVA Codigo," "Sabadell Codigo" |
| Phishing websites | Landing pages that mimic bank portals, used to collect personal information before the vishing call |
TOAD Attack Flow¶
ThreatFabric's TOAD analysis documented the full attack chain:
- Victim receives SMS appearing to be from their bank with a link to a phishing page
- Victim enters personal information and contact details on the phishing page
- Attacker calls the victim, impersonating bank support, referencing the information just entered
- Caller instructs the victim to download and install a "security app" to protect their account
- Caller guides the victim through granting accessibility and other permissions
- Copybara activates, giving the operator remote access to the device
- Operator performs On-Device Fraud via the victim's banking app
The vishing component is essential to Copybara's success: the live caller builds trust, creates urgency, and walks the victim past every permission prompt and sideloading warning that would otherwise stop the installation.
Capabilities¶
Core Capabilities¶
| Capability | Implementation |
|---|---|
| On-Device Fraud (ODF) | Remote control of victim device for direct banking transactions via accessibility service |
| Remote device control | Full VNC-style interaction for navigating banking apps, initiating transfers |
| Overlay attacks | Credential phishing overlays impersonating banking and cryptocurrency apps |
| Keylogging | Accessibility-based keystroke capture across all applications |
| Audio recording | Record ambient audio via device microphone |
| Video recording | Capture device screen activity |
| SMS interception | Read and forward SMS for OTP capture |
| Screen capture | Capture screenshots during fraud operations |
| Credential theft | Phishing pages for banking and cryptocurrency exchange logins |
MQTT Variant (November 2023)¶
Zscaler's technical analysis documented 59 supported bot commands in the MQTT-based variant:
| Category | Details |
|---|---|
| Communication | MQTT protocol on port 52997, subscribing to commands_FromPC queue |
| Device control | Remote tap, swipe, type, navigate, screenshot |
| Data exfiltration | SMS, contacts, accounts, installed apps, browser cookies |
| Persistence | Disable battery optimization, run as foreground service, prevent uninstallation |
| Fraud | Overlay injection, keylogging, OTP interception, screen lock credential capture |
Technical Details¶
MQTT Command-and-Control¶
The shift from HTTP to MQTT in the November 2023 variant represents a significant architectural change. MQTT (Message Queuing Telemetry Transport) is a lightweight publish/subscribe messaging protocol designed for IoT and constrained environments:
- The malware connects to an MQTT broker on port 52997
- Subscribes to a
commands_FromPCqueue for receiving operator commands - Publishes stolen data and status updates to separate queues
- Persistent connection enables real-time bidirectional communication without HTTP polling overhead
- Connection remains open for the duration of the fraud session
MQTT offers operational advantages over HTTP for banking fraud: lower latency for interactive remote control sessions, reduced network overhead, and persistent connections that survive brief network interruptions.
Accessibility Abuse¶
Copybara's On-Device Fraud depends on Android's accessibility service:
- Victim grants accessibility during TOAD-guided installation
- Malware auto-grants additional permissions (SMS, phone, storage, microphone)
- Monitors foreground application changes for overlay triggering
- Provides remote control functionality for operator-driven fraud
- Captures keystrokes and screen content during banking sessions
- Prevents navigation to settings to block uninstallation
Overlay Phishing Pages¶
Zscaler documented that Copybara downloads phishing pages from C2 that impersonate popular cryptocurrency exchanges and financial institutions. The pages use legitimate logos and application names to convince victims entering credentials. Overlay injection is triggered when the accessibility service detects a target app entering the foreground.
B4A Framework¶
Like BRATA and AmexTroll, Copybara is built using the B4A (Basic4Android) development framework. B4A uses a BASIC-like language and generates standard Android APKs. The framework produces a recognizable code structure in decompiled output, which aided ThreatFabric in identifying the relationship between the three families.
Anti-Analysis¶
| Technique | Method |
|---|---|
| String obfuscation | Sensitive strings encrypted and resolved at runtime |
| Emulator detection | Checks build properties and hardware characteristics |
| Locale check | Verifies device language/region matches Italian or Spanish targets |
| Dynamic payloads | Overlay pages and configuration retrieved from C2 post-installation |
Target Regions and Financial Institutions¶
Copybara maintains a narrow geographic focus centered on Italian and Spanish financial institutions.
| Region | Details |
|---|---|
| Italy | Primary target, majority of all observed campaigns |
| Spain | Secondary target, fake apps impersonating BBVA, Caixa, Sabadell |
| UK | Targeted in cross-campaign activity documented by Cleafy |
Cleafy's fraud campaign analysis documented campaigns from late 2023 through early 2024 targeting Italian, Spanish, and UK banking customers. The stolen funds were transferred to a well-organized network of money mule accounts via instant payment systems.
Italian banks remain the core focus. The TOAD distribution method requires Italian-speaking (or Spanish-speaking) operators who can convincingly impersonate bank support staff, which naturally constrains the geographic scope.
Notable Campaigns¶
November 2021: Copybara first identified by Cleafy, targeting Italian banking customers through phishing sites and early TOAD delivery methods.
First half 2022: ThreatFabric observes Copybara and AmexTroll distributed simultaneously through different channels, confirming they are separate families despite shared B4A framework lineage.
October 2022: ThreatFabric publishes TOAD fraud analysis, documenting the full vishing attack chain used to deploy Copybara against Italian banking customers. The research details how operators combine phishing sites with live phone calls to guide victims through installation and permission granting.
November 2023: The MQTT variant emerges. Zscaler ThreatLabz publishes technical analysis documenting 59 bot commands and the shift from HTTP to MQTT-based C2 communication.
Late 2023 - Early 2024: Cleafy intercepts an active fraud campaign against UK, Spanish, and Italian banking customers. The full fraud chain is traced from initial social engineering to fraudulent wire transfers routed through money mule networks. The campaign uses both smishing and vishing to distribute Copybara, with fake apps impersonating Spanish banks including BBVA, Caixa, and Sabadell.