Last seven days
- First activity
- Jul 17, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 1 IP / 16 hostnames
Coper is an Android banking trojan/loader family active in mobile threat campaigns, with sustained activity particularly targeting users in Türkiye/Turkey.
Profile source: Mallory opens in a new tabCoper
Coper is an Android banking trojan/loader family active in mobile threat campaigns, with sustained activity particularly targeting users in Türkiye/Turkey. Kaspersky reporting cited Trojan-Banker.AndroidOS.Coper variants such as Coper.a and Coper.c among the most active mobile banking threats, with Coper.c ranking highly in both Q3 2024 and Q3 2025 telemetry and Turkish users frequently attacked by Android.BankBot.Coper variants. The malware is associated with banking credential and financial theft activity, and related campaigns in Turkey were also linked to SMS-stealing malware.
Reverse-engineering content in the provided material describes Coper as using an Android native library to hide and load its payload. In the analyzed sample, the native code used static JNI registration rather than JNI_OnLoad, referenced APK resources and dalvik/system/DexClassLoader, retrieved an encrypted payload from application resources, decrypted it, and loaded a .dex into the application context. The decryption routine was identified as RC4 based on observed key-scheduling and PRGA/XOR logic. The analyzed native function was Java_com_morninghislbg_FxvheRBQy_odGLksAlj, and strings recovered from the library included com.morninghislbg:raw/urdvipkyjahgh, getResources, dalvik/system/DexClassLoader, setAccessible, and Reflect/Field. The referenced sample hash was ced80229a4f46990c854c7c81dbaa7fec3dd06dd537992e5d6d3bd316add45d2.
Kaspersky also reported that Trojan-Dropper.Linux.Agent.gen, an obfuscated ELF dropper, was linked to Trojan-Banker.AndroidOS.Coper.c. The content further notes possible MaaS associations: a GitHub profile observed in Frogblight research had repositories for Frogblight and also for Coper malware distributed under a Malware-as-a-Service model, suggesting possible operator or ecosystem overlap, though attribution was not confirmed. Overall, the provided content supports Coper as a widely seen Android banking malware family using obfuscation and staged payload loading, with notable concentration in Turkish-targeted campaigns.
C2 tracking
Derp observations, rolling seven-day window
Samples
541d197b681ce8873ac9dc246dda22d1b1480e772e839bdd1ab095c1cc972d0a 0944fcd828d4d0f4faa06b7840fb52d64a3897416042d9c30ee919ee821ceb3a 040600d688913b47f604a3ccf6297e2c1cd36bc1d4f16f2559e720edad43d2e4 2f2c22fab0c2ea3c7ce462a47af13578643bb06241855642d86379926c67541a ab19f6099d0f12ef84705e206c4025dfe4262bcf284c37593bdff4d8b0c09236 d5d675ccdcc5478611776e2dc00ec3a8626a029b91150c6ac9e058108df068b1 3cd2896406f4af49e8e11c6c6cdff94d5b78c069f17768a98d4910d2deeccde4 d24e7a0012af00a519a4f877586ed374949ae125cc10b78b010a88c3044f434e 7e002391f25c7613536662b03d6cb76a7bd0fcdb1b7a02d0d49064592cb7e3ff c3d1ab2e6a3ba09b3e43f8633ccd11b351b00b59e485f477c7f5dbe2c767d8b9 MITRE ATT&CK
Reporting
Among the most active were... Coper, Android.BankBot.Ermac... Turkish users were most often attacked by the Android.BankBot.Coper.12.origin... capable of stealing the contents of SMS.
Among the most active were the malicious apps Android.Banker.Mamont, Coper, Android.BankBot.Ermac...
This blog post is part of a recent personal investigation into a malware loader known as Coper.
"...we discovered a GitHub profile containing repos with Frogblight, which had also created repos with Coper malware, distributed under the MaaS model."
“…Coper, which targets users in Türkiye…”
Trojan-Banker.AndroidOS.Coper.a 0.51 3.58 +3.07 +30
Several more new samples entered the ranking: ... Coper.c (2.84%).
The first one was associated with an ongoing Coper banker campaign in Turkey
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.