CopyCat Android Malware Strikes a Unique Pose

Written by

The CopyCat malware, in direct contrast to its name, is breaking new ground as it surpasses 14 million infections.

The bad code, which targets Android devices globally, uses a novel technique to generate and steal advertising revenues. The hackers behind the campaign have raked in approximately $1.5 million in fake ad revenues in two months.

While CopyCat infects users mainly in Southeast Asia, it has also spread to more than 280,000 Android users in the United States.

“It is a fully developed malware with vast capabilities, including rooting devices, establishing persistency and injecting code into Zygote —a daemon responsible for launching apps in the Android operating system —that allows the malware to control any activity on the device,” Check Point researchers noted, in an analysis.

Out of the 14 million infected devices, CopyCat has rooted approximately 8 million of them.

The researchers first encountered the malware when it attacked devices at a business protected by Check Point SandBlast Mobile. Check Point retrieved information from the malware's Command and Control servers, and conducted a full reverse engineering of its inner workings, which revealed that CopyCat uses state-of-the-art technology to conduct various forms of ad fraud.

“Upon infection, CopyCat first roots the user’s device, allowing the attackers to gain full control of the device, and essentially leaving the user defenseless,” the researchers said. “CopyCat then injects code into the Zygote app launching process, allowing the attackers to receive revenues by getting credit for fraudulently installing apps by substituting the real referrer's ID with their own. In addition, CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for the users to understand what's causing the ads to pop-up on their screens. CopyCat also installs fraudulent apps directly to the device, using a separate module.”

What’s hot on Infosecurity Magazine?