CopyCat, a newly uncovered malware has the capability to infect rooted devices, establish persistence and inject malicious code into the Zygote – used for launching apps on Android. This malware strain has already infected 14 million Android devices around the world earning from fake ad revenues of approximately $1.5 million.
Out of the 14 million devices affected, 8 million were nearly rooted, 4.4 million were used to steal credit cards for installing apps on Google Play, and 3.8 million devices serve ads. Also, the majority of victims hit by this malware are from the South and Southeast Asia with India being the most affected country. Other countries include Pakistan, Bangladesh, Indonesia and Myanmar, over 381,000 user devices in Canada, while more than 280,000 Android devices were infected in the United States. All these stats are provided by the Check Point security researchers who discovered this strain.
How CopyCat works
The copycat malware uses “state-of-the-art technology” to perform advertisement frauds. CopyCat uses several exploits, which include CVE-2015-3636 (PingPongRoot), CVE-2014-3153 (Towelroot), and CVE-2013-6282 (VROOT) to hit devices with Android 5.0 and earlier, which are all widely used and very old, with the most recently uncovered two years ago. These indicate that millions of Android users still use old, unpatched and unsupported devices
It uses a popular third-party Android application as a disguise that users download from third-party stores. Once the application is downloaded, the malware downloads rootkits while collecting data from the infected device. It helps to root the infected Android device.
Of course, after the device is rooted, the malware gets access to remove security defenses and injects code into the Zygote app launching process to fraudulently install apps, display ads and generate revenue.
Who’s behind It?
- CopyCat and MobiSummer use the same remote services
- Several lines of CopyCat’s code is signed by MobiSummer
- CopyCat and MobiSummer operate on the same server
- CopyCat did not target Chinese users despite over half of the victims residing in Asia
The tech giant, Google was informed about it in March 2017 by Check Point, and Google has updated Play Protect to block the malware. Now old Android devices under the protection of Play Protect are protected which is regularly updated to block any growing malware.