ThreatFabric’s analysts uncovered a network of phishing websites targeting Italian online-banking users and aiming to steal their banking credentials. Further research defined a connection between this network and the Android banking Trojan dubbed Copybara, that is involved in telephone-oriented attack delivery performed by the threat actors. Latest version of it introduced unique feature that allows to build and show dynamic fake forms on the fly. With the increase in popularity of voice phishing (vishing) attacks, where criminals coach victims into installing Android banking malware, we are entering a new era of hybrid fraud attacks. Despite the popularity of this technique, and the clear trend based on campaigns discovered, vishing used as malware distribution tactic is currently not covered by MITRE mobile matrix.