Skip to content
Malware family

Coper

Coper is an Android banking trojan/loader family active in mobile threat campaigns, with sustained activity particularly targeting users in Türkiye/Turkey.

Profile source: Mallory opens in a new tab

Coper

Family profile

Coper is an Android banking trojan/loader family active in mobile threat campaigns, with sustained activity particularly targeting users in Türkiye/Turkey. Kaspersky reporting cited Trojan-Banker.AndroidOS.Coper variants such as Coper.a and Coper.c among the most active mobile banking threats, with Coper.c ranking highly in both Q3 2024 and Q3 2025 telemetry and Turkish users frequently attacked by Android.BankBot.Coper variants. The malware is associated with banking credential and financial theft activity, and related campaigns in Turkey were also linked to SMS-stealing malware.

Reverse-engineering content in the provided material describes Coper as using an Android native library to hide and load its payload. In the analyzed sample, the native code used static JNI registration rather than JNI_OnLoad, referenced APK resources and dalvik/system/DexClassLoader, retrieved an encrypted payload from application resources, decrypted it, and loaded a .dex into the application context. The decryption routine was identified as RC4 based on observed key-scheduling and PRGA/XOR logic. The analyzed native function was Java_com_morninghislbg_FxvheRBQy_odGLksAlj, and strings recovered from the library included com.morninghislbg:raw/urdvipkyjahgh, getResources, dalvik/system/DexClassLoader, setAccessible, and Reflect/Field. The referenced sample hash was ced80229a4f46990c854c7c81dbaa7fec3dd06dd537992e5d6d3bd316add45d2.

Kaspersky also reported that Trojan-Dropper.Linux.Agent.gen, an obfuscated ELF dropper, was linked to Trojan-Banker.AndroidOS.Coper.c. The content further notes possible MaaS associations: a GitHub profile observed in Frogblight research had repositories for Frogblight and also for Coper malware distributed under a Malware-as-a-Service model, suggesting possible operator or ecosystem overlap, though attribution was not confirmed. Overall, the provided content supports Coper as a widely seen Android banking malware family using obfuscation and staged payload loading, with notable concentration in Turkish-targeted campaigns.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 17, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
1 IP / 16 hostnames

Leading locations

  • US7
  • ES1
  • IE1

Leading providers

  • Amazon.com, Inc.5
  • Google LLC2
  • Amazon.com, Inc.1
  • ExaCloud Factory, S.L.1

Infrastructure traits

  • Hosting 9
  • Vpn 2

Samples

Recent associated samples

MITRE ATT&CK

Coper in ATT&CK

6 distinct techniques

Reporting

Research mentioning Coper

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.