Xafecopy

Xafecopy is a piece of Android malware, which has been very active in India – almost 40% of its victims are residents of the region. However, Xafecopy's attacks do not appear to be focused on Asia – the criminals behind it are also infecting devices in Russia, Mexico, Turkey, and other countries.

This simple but effective malware engages in ad-fraud and fraudulent financial transactions. However, its modus operandi is very interesting and surprising. Usually, Trojans of this sort try to monetize their activity by either stealing financial details or sending premium text messages without the user's knowledge and approval. Xafecopy, on the other hand, makes use of an old and barely used mobile technology – WAP internet connectivity.

Xafecopy Abuses the WAP Protocol to Defraud Users Out of Their Money

While WAP is barely used nowadays because of the availability of high-speed 4G and 5G networks, it is still supported by many mobile operators. In fact, there are also online services that accept payments through the WAP protocol – the money is taken from the user's mobile account. The Xafecopy exploits exactly this type of Internet connectivity – it may silently load WAP billing pages set up by the attackers and make fraudulent payments. It is also capable of using the WAP connectivity to load advertising URLs without the victim's knowledge.

While the techniques that Xafecopy uses are not very profitable, the criminals can still make a lot of money if they manage to infect more devices. At the Xafecopy campaign's peak, the attackers had managed to infect over 4,800 Android devices worldwide. This malware is often disguised as a battery optimizer or another useful application that smartphones users might be interested in – we advise you to download software that is reputable and trustworthy, and only if it is hosted on a legitimate service.