Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab.
[2][6] Xafecopy has been found using JavaScript file names which was previously used by infamous Ztorg Trojan, triggering speculation of a possibility of code sharing between cyber criminal gangs.
The malware works in WAP-enabled android devices over a GPRS or 3G wireless connection and is based on the Ubsod family.
Once the URL address is received at the device, it clicks on the WAP billing links, which initiates a WAP session with the server, which then obtains the user's MSISDN and charges directly to the user's mobile carrier bill and subscribes to unwanted paid services.
[12] Modified versions of Xafecopy were also identified to have the capability of sending SMS from the device to premium-rate phone numbers, deleting incoming SMS from the mobile network provider, and hiding alerts about balance deduction by reading incoming messages and checking for words like "subscription".