My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-07-05

Virus description added:


  • f2de6a855f04a0f5e0999c5b413347adaa1197e2


The Android.BankBot.Coper.1.origin is a banking trojan for the Android operating system that targets Colombian users. It represents an executable dex file and is a component of the Android.BankBot.Coper.2 malicious application.

Operating routine

Upon launch, the Android.BankBot.Coper.1.origin conceals the icon of the Android.BankBot.Coper.2 parent app from the list of installed applications on the home screen and connects to the C&C server, registering the infected device. The trojan keeps the connection to the server, sending requests to it each minute. This time interval, however, can be changed if the trojan receives a corresponding command. Moreover, Android.BankBot.Coper.1.origin can also change other parameters of its configuration:

  • response―various variants of server response. For instance, REG_SUCCESS or SMS_OK_. The former is received upon registering the infected device on the server, after which the trojan sets the true value in the is_registered field of the configuration. When the latter is received, the trojan deletes the contents of the intercepted SMS stored in the new_sms field
  • injects_list―a list of targeted applications, whose windows will be overlaid by a phishing window upon launch
  • extra_domains―a list of C&C servers
  • block_push_apps―a list of programs whose push notifications will be blocked
  • minimize_apps―a list of apps that the trojan will prevent from launching, returning the user to the home screen
  • uninstall_apps―a list of apps to delete
  • keylogger_enabled―launch a keylogger

Moreover, timers for various actions can also be set:

  • block_push_delay;
  • minimize_delay;
  • uninstall_delay;
  • keylogger_delay;
  • injects_delay;
  • net_delay.

The commands to execute malicious actions:

  • ussd―run a USSD request
  • sms―send an SMS
  • lock_on―lock the device screen
  • lock_off―unlock the device screen
  • intercept_on―start intercepting SMS
  • intercept_off―stop intercepting SMS
  • push―demonstrate a push notification
  • repeat_inject―re-display a phishing window on top of the targeted app’s window
  • start_keylogger―run a keylogger
  • stop_keylogger―stop a keylogger
  • uninstall_apps―delete an application specified in the command
  • kill_bot―delete itself and the dropper

Moreover, Android.BankBot.Coper.1.origin intercepts and sends the contents of all incoming push notifications to the C&C server.

The display of phishing windows is performed through the WebView with the contents received from the C&C server and loaded into it.

With that, all requests to the server and all received responses from it are encrypted with the AES algorithm and the 54569d2aaae7176335a67bf72e86736f key.

An example of the parameters sent to the C&C server upon the infected device registration:

  • xc is a request type. For example, bR is a registration request. It can also have the bS value for sending SMS and the bP for other actions
  • tA is a device IMEI number
  • tB is a mobile number
  • tC is a user country
  • tD is a default system language
  • tE is an OS version
  • tF is a device model
  • tG is a mobile carrier
  • lA is a list of installed apps
  • lB is a constant
  • lL is a flag representing the presence of the installed dropper
  • bI is an md5 fingerprint of the device
  • iA is a getDefaultSmsPackage flag showing the trojan is a default SMS manager
  • dA is a flag device_admin_set showing whether the trojan is a device administrator
  • lK is a flag lock_on showing whether the device screen is locked
  • iAc is a flag accessibility_enabled showing whether the trojan has access to Accessibility Services
  • up is an uptime parameter
  • kL is a flag keylogger_enabled showing whether the keylogger is running

Similar to Android.BankBot.Coper.2.origin, Android.BankBot.Coper.1.origin has a self-protection mechanism.

Indicators of compromise

More details on Android.BankBot.Coper.2

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies