CopyCat Android Malware Infects 14 Million Android Devices

CopyCat, an Android malware, is currently making headlines by infecting almost 14 million devices.

Recent malware attacks like WannaCry ransomware and Petya/NotPetya malware have lashed across nations and caused untold damage. Koler, an Android ransomware used fake PornHub apps to infect devices across the U.S. Now, there’s news of a new Android malware, dubbed CopyCat, which seems to have been active for quite a while.

As per reports, the Android malware strain, which is extremely powerful and spreads quickly, has already helped cyber-criminals earn at least $1.5 million. The malware accomplishes this by generating and stealing ad revenues.

How Bad is It?

Check Point Security researchers, who published details of the malware attack say that they “identified a mobile malware that infected 14 million android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues in two months.” They say that CopyCat has infected users mostly in Southeast Asia and that it has also affected more than 280,000 Android users in the U.S.

The Check Point blog post on CopyCat also says, “CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote—a daemon responsible for launching apps in the Android operating system—that allows the malware to control any activity on the device.”

The CopyCat Android malware campaign, which reached its peak “between April and May 2016,” spread via popular apps. Check Point experts make it clear that there is no evidence that CopyCat was distributed on Google Play, Google’s official app store. It mostly works its way through popular apps downloaded from third-party app stores, and also infects through phishing scams.

What does it Do?

CopyCat roots compromised devices and establishes persistent presence. It injects code into Zygote, and in doing so allows hackers to reap revenue by getting credit for installing apps. They accomplish this by substituting their referral ID for the real one. The researchers explain: “CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop up on their screens. CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given the large number of devices infected by the malware.”

In March 2017, Check Point informed Google about the CopyCat malware campaign. Google managed to quell the campaign, reducing the number of infected devices compared to the malware’s peak.

Related Blogs

https://hackercombat.com/android-malware-will-never-die/

https://hackercombat.com/android-malware-with-dirty-cow-vulnerability-discovered-for-the-first-time/