Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers full access to the devices.
Over 14 Million Devices Infected; 8 Million of them Rooted
According to the security researchers at Check Point who discovered this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play.
While the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected.
While there's no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks.
Like Gooligan, CopyCat malware also uses "state-of-the-art technology" to carry out various forms of advertisement fraud.
CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago.
The success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices.
Here's How CopyCat Infects Android Devices
CopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim's smartphone.
After rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue.
"CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what's causing the ads to pop-up on their screens," Check Point researchers say.
"CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware."In just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads.
The majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat.
CopyCat Malware Spreads Using Chinese Advertising Network
While there's no direct evidence on who is behind the CopyCat malware campaign, researchers at Check Point found below-mentioned connections that indicate hackers might have used Chinese advertising network 'MobiSummer' for the distribution of the malware.
- CopyCat malware and MobiSummer operate on the same server
- Several lines of CopyCat's code is signed by MobiSummer
- CopyCat and MobiSummer use the same remote services
- CopyCat did not target Chinese users despite over half of the victims residing in Asia
"It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer's code and infrastructure without the firm's knowledge" Check Point researchers say.Android users on older devices are still vulnerable to the CopyCat attack, but only if they are downloading apps from third-party app stores.
In March 2017, Check Point researchers informed Google about the CopyCat campaign, and the tech giant has already updated Play Protect to block the malware.
So, Android users even on older devices are protected through Play Protect, which is updated regularly as malware strains such as CopyCat continue to grow.