Coper
Coper is an Android banking trojan/loader family active in mobile threat campaigns, with sustained activity particularly targeting users in Türkiye/Turkey. Kaspersky reporting cited Trojan-Banker.AndroidOS.Coper variants such as Coper.a and Coper.c among the most active mobile banking threats, with Coper.c ranking highly in both Q3 2024 and Q3 2025 telemetry and Turkish users frequently attacked by Android.BankBot.Coper variants. The malware is associated with banking credential and financial theft activity, and related campaigns in Turkey were also linked to SMS-stealing malware.
Reverse-engineering content in the provided material describes Coper as using an Android native library to hide and load its payload. In the analyzed sample, the native code used static JNI registration rather than JNI_OnLoad, referenced APK resources and dalvik/system/DexClassLoader, retrieved an encrypted payload from application resources, decrypted it, and loaded a .dex into the application context. The decryption routine was identified as RC4 based on observed key-scheduling and PRGA/XOR logic. The analyzed native function was Java_com_morninghislbg_FxvheRBQy_odGLksAlj, and strings recovered from the library included com.morninghislbg:raw/urdvipkyjahgh, getResources, dalvik/system/DexClassLoader, setAccessible, and Reflect/Field. The referenced sample hash was ced80229a4f46990c854c7c81dbaa7fec3dd06dd537992e5d6d3bd316add45d2.
Kaspersky also reported that Trojan-Dropper.Linux.Agent.gen, an obfuscated ELF dropper, was linked to Trojan-Banker.AndroidOS.Coper.c. The content further notes possible MaaS associations: a GitHub profile observed in Frogblight research had repositories for Frogblight and also for Coper malware distributed under a Malware-as-a-Service model, suggesting possible operator or ecosystem overlap, though attribution was not confirmed. Overall, the provided content supports Coper as a widely seen Android banking malware family using obfuscation and staged payload loading, with notable concentration in Turkish-targeted campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
If your code looks like the figure above, it is caused by the obfuscation in place. Strings are stored on stack, however, the disassembler did not fully understand the whole structure...
Collecting resource information to see if the encrypted payload is available... Allocating a buffer, according to the resource size, that is going to contain the encrypted data... Decrypt the resource... and in the end load the .dex file into the application context.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan (BankBot lineage) active in Turkey; steals SMS content (including banking verification codes) and related sensitive data.
Banking trojan family active in 2025; specific behaviors not detailed here beyond being a banking trojan (elsewhere referenced as stealing SMS contents).
Android malware loader that uses a native library to hide and decrypt an encrypted payload, then loads the decrypted .dex into the application context. The analysis describes JNI-based native code, obfuscation, resource extraction, and RC4-based payload decryption.
Mentioned as another Android malware family hosted in the same GitHub profile as Frogblight and described as being distributed under a Malware-as-a-Service (MaaS) model; no additional technical details provided in this content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.