Xafecopy Trojan: How to protect your money from being stolen through your smartphone?

With the rapid growth of technology in the Digital World, the number of cybersecurity breaches has grown proportionately or even more. The year 2017 has witnessed numerous ransomware and malware attacks across the world so far. The new malware “Xafecopy Trojan” which steals money from mobile phone users has been recently detected by 'Kaspersky', a Russia based internet security firm. The malware has already infected more than 4800 Android users in just a month in around 47 countries including India, Russia, Turkey, and Mexico. The penetration rate reveals that an alarming rate of 40 percent of the malware's targets has been in India.

How does Xafecopy Trojan work?

The Xafecopy Trojan is categorized as a malware; because it gets side loaded along with other useful apps (e.g. BatteryMaster) and then loads malicious code onto the device. The major entry point for any ransomware or malware is the installation of unverified or untrusted apps from unknown sources. Once the unverified app gets affected with Xafecopy Trojan or any other malware, they spread in the root files of the smartphone and operate discreetly.

The Xafecopy malware operates by clicking on web pages with WAP (Wireless Application Protocol) billing system which is a form of mobile payment system that charges directly to the user's mobile bill. The malware works in WAP-enabled Android devices over an internet connection. It receives the WAP billing URL addresses of the web pages through a command-and-control server. Once the URL  of the WAP billing system is received at the device, the malware clicks on the WAP billing links which initiates a WAP session with the server, which then obtains the user's MSISDN (Mobile Station International Subscriber Directory Number) and charges directly to the user's mobile carrier bill and subscribes to any unwanted paid service(s).

The malware is claimed to be using a technology which bypasses the CAPTCHA systems. Some of the modified versions of Xafecopy are capable of sending SMS from the device to other premium phone numbers, deleting incoming SMS from the mobile network provider, hiding alerts about balance deduction of the user etc.; hence the user remains unaware about the suspicious activity being carried out on the back end. The malware is also capable of switching a user from a Wi-Fi connection to mobile data as WAP billing works only when the user is connected to a mobile connection.

How to identify if your device is affected?

  • As the malware works through WAP billing, it requires a mobile data connection to operate; and therefore the trojan automatically disables the Wi-Fi connection. If you notice that your smartphone turns off the Wi-Fi connection randomly, then there is a need to get your phone checked immediately.
  • Also, verify your monthly bill for details. If you diagnose any service activated apart from your knowledge, get in touch with the telecom operator and seek information on it. Get the service canceled and identify the app that raised the request to activate that service.

How to protect devices against such threats?

  • Prohibit the installation of apps from unknown sources. This type of trojan or malware can be distributed through various advertisements and with this prohibition in place, you simply will not be allowed to install them.
  • Install a reliable mobile security anti-virus and internet security app for Android devices that keep a check on apps' activity.
  • Run a background check of all the apps using 'Google Play Protect' (https://www.android.com/play-protect) to understand if all the apps are safe. If the phone fails to respond while scanning the app or if the list of apps shows fewer apps than what you have installed, then look at the apps that do not feature in the Google Play Store app list and uninstall them at the earliest.
  • Contact the respective telecom operator to disable the WAP billing service from the back end.

How to Remove Xafecopy Malware from the affected device?

If your device is already infected by the malware, you can follow the below steps to remove this dangerous malware from your device.


Tap the 'Settings' button on your android device.


Navigate to the 'Apps' section.


Locate the app from the app list you want to have removed from your device.

In most of the cases, you can click on the 'UNINSTALL' button and be done with it. In some cases, the malware might have managed to give itself administrator privilege and the 'UNINSTALL' button would have been disabled.

To enable the Uninstall button, go to

Settings -> Security -> Device Administrators

There you can see a list of apps that have admin status within your system. These would be probably listed under “Android Device manager”. Remove the problematic App from the list. Now you should be able to remove it as normal.


Install an android based anti-virus or update the existing anti-virus and perform a security scan on the device to wipe out any junk data related to the malware.

It is always recommended to take optimum care while installing any App. Also, don't trust using resources from an unknown source. Because Prevention is better than Cure.

Authored By - Sambit Kumar Dash
TCS Cyber Security Practice

Rate this article: 
No votes yet
Article category: