Saturday , November 18 2017
Home / Cyber Crime / 14 Million Devices Infected by CopyCat Android Rooting Malware

14 Million Devices Infected by CopyCat Android Rooting Malware

CopyCat, a newly uncovered malware has the capability to infect rooted devices, establish persistence and inject malicious code into the Zygote – used for launching apps on Android. This malware strain has already infected 14 million Android devices around the world earning from fake ad revenues of approximately $1.5 million.

Out of the 14 million devices affected, 8 million were nearly rooted, 4.4 million were used to steal credit cards for installing apps on Google Play, and 3.8 million devices serve ads. Also, the majority of victims hit by this malware are from the South and Southeast Asia with India being the most affected country. Other countries include Pakistan, Bangladesh, Indonesia and Myanmar, over 381,000 user devices in Canada, while more than 280,000 Android devices were infected in the United States. All these stats are provided by the Check Point security researchers who discovered this strain.

How CopyCat works

The copycat malware uses “state-of-the-art technology” to perform advertisement frauds. CopyCat uses several exploits, which include CVE-2015-3636 (PingPongRoot), CVE-2014-3153 (Towelroot), and CVE-2013-6282 (VROOT) to hit devices with Android 5.0 and earlier, which are all widely used and very old, with the most recently uncovered two years ago. These indicate that millions of Android users still use old, unpatched and unsupported devices

It uses a popular third-party Android application as a disguise that users download from third-party stores. Once the application is downloaded, the malware downloads rootkits while collecting data from the infected device. It helps to root the infected Android device.

Of course, after the device is rooted, the malware gets access to remove security defenses and injects code into the Zygote app launching process to fraudulently install apps, display ads and generate revenue.

“CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens,” Check Point researchers say. “CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens,” Check Point researchers say.
“CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware.”
As aforesaid the $1.5 million revenue generated in just two months, the majority profit came from 4.9 million fake installations displaying up to 100 million ads.

Who’s behind It?

Researchers at Check Point consider a Chinese firm behind CopyCat while relating several connections between it and Chinese advertising Mobisummer network as:
  • CopyCat and MobiSummer use the same remote services
  • Several lines of CopyCat’s code is signed by MobiSummer
  • CopyCat and MobiSummer operate on the same server
  • CopyCat did not target Chinese users despite over half of the victims residing in Asia

The tech giant, Google was informed about it in March 2017 by Check Point, and Google has updated Play Protect to block the malware. Now old Android devices under the protection of Play Protect are protected which is regularly updated to block any growing malware.

About Toor

Check Also

Samsung's New Flagship Now Lets You Unblock Any Windows PC

Samsung’s New Flagship Now Lets You Unblock Any Windows PC

Samsung's New Flagship Now Lets You Unblock Any Windows PC, so they are working together to meet the fast pace of Smartphone industry evolution.

Leave a Reply

Your email address will not be published. Required fields are marked *