Is Your Android Phone Infected with Xafecopy Malware?


Cyber security researchers have recently identified a new malware targeting Android Operating Systems. The malware dubbed Xafecopy Trojan is designed to steal money from users of Android mobile phones. This malware has widely penetrated devices in India – reports state that around 40% of the infections have so far been found here.

How does the infection occur?

When a user downloads unverified apps from sources outside authentic playstores. Cyber criminals latch on the Xafecopy Trojan malware to useful apps such as “battery savers” that users download unsuspectingly. Some times the malware also gets side loaded with such useful sounding apps.

By default, apps from unknown sources are not allowed to be installed and the user is warned against installing such apps. Knowing the risks, the user has to explicitly allow download and installation of such apps. When the app is allowed to be installed, the malware spreads to root files and from there on it operates secretively.

How does the Xafecopy malware steal money?

On successful installation, the Xafecopy Trojan malware is programmed to click on Webpages that feature WAP billing (Wireless Application Protocol billing). This is a unique type of billing that does not require any credit card information. And it also does not require any CAPTCHA for added security. This mobile billing system charges the cost of purchases made on those “WAP webpages” to the user’s phone bill, and the users will become aware of these charges only after they receive the bill.

What is WAP billing?

WAP billing allows users to purchase content from WAP websites. Typically websites that provide mobile entertainment content such as ringtones, wallpapers, mobile games, adult content, etc…, utilize this type of billing. The user does not have to create any account or provide any credentials, which provides them a safe channel to purchase questionable content. In this process, the user has to click on a link and also agree to the purchase.

Fraudulent websites that provide such mobile content may be resorting to releasing malware to increase the revenue of their websites. The Xafecopy Trojan malware clicks on links and agrees to the purchases without the knowledge of the user.

There are certain indications that could show if your device is infected

  • Check your bill – check for any excess charges. Check for billing/activation of any service that you had not requested for
  • If your Wi-Fi gets disabled at random
  • If your mobile connection gets activated at random – the malware requires a mobile data connection to connect to the WAP billing websites.

How to protect your Android device from Xafecopy Trojan malware

  • Do NOT allow installation of apps from unknown sources
  • Disable/deactivate any service that had not been requested by you
  • Use Google Play protect to check the safety of all the apps on your device
  • Uninstall/disable all apps not listed on Google Play Store
  • Contact your telecom operator and disable WAP billing option.
  • Install a robust mobile internet security (endpoint) that uses default-deny concept to block all unknown applications and continuously monitors the device for suspicious activity.

Related Resource: 

Android Device Manager


    Leave a Comment


    Welcome! Login in to your account

    Remember me Lost your password?

    Don't have account. Register

    Lost Password