A powerful and fast-spreading Android malware strain dubbed CopyCat has infected 14 million Android devices.
CopyCat is primarily designed to generate and steal ad revenues. It does this by rooting compromised devices and establishing persistence. Injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – allows miscreants to receive revenues by getting credit for fraudulently installing apps. They achieve this after substituting the real referrer's ID with their own.
Where the hell are all these ads coming from?
In addition, CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for the users to figure out why they are being assaulted by pop-ups.
CopyCat also installs fraudulent apps directly to the device, using a separate module. The mobile malware successfully rooted over 54 per cent of the devices it infected, an unusually high figure that's probably due to its use of five exploits as well as its overall sophistication.
Researchers at Check Point Software said they'd encountered the malware when it attacked devices at a customer's business. Check Point's team subsequently retrieved information from the malware's Command and Control servers before applying reverse engineering techniques in order to figure out the inner workings of the malware, detailed in a blog post here.
The miscreants behind the campaign may have earned as much as $1.5m in fake ad revenues in April and May alone, Check Point estimates. Most victims to date hail from southeast Asia but the nasty has also claimed more than 280,000 victims in the United States. Researchers reckon the campaign spread via popular apps, repackaged with the malware and downloaded from third party app stores, as well as through phishing scams. There's no evidence that CopyCat was distributed on Google Play, Google’s official app store.
Check Point reported the problem to Google, which has managed to quell if not extinguish the threat. It's unclear who is behind the CopyCat attack, however, there are some connections to an ad network located in China, according to Check Point. It has not been suggested that the network is linked to the attack itself.
"The malware also refrains from targeting Chinese devices, suggesting the malware developers are Chinese and want to avoid any investigation by local law enforcement, a common tactic in the malware world," Check Point speculates.
CopyCat Android scam flowchart [source: Check Point blog post]
Mark Noctor, VP EMEA at Arxan Technologies, said that the speed of the spread of CopyCat malware shows how effective corrupted apps are as a vehicle for slinging malware.
"Reverse engineering a popular legitimate app not only means that victims are much more likely to download it, but a functional clone will also mean they have no idea their device has been compromised, leaving the attacker free to continually harvest data or infect others," Noctor said.
"Despite the clear risks of using third party sources to download apps, the practice is still very common – with, for example, large numbers of users using unauthorised sources to download Pokémon Go last summer to jump ahead of regional rollout delays," he added. ®