Researchers at Check Point’s Mobile Research Team have spotted a new family of Android malware that infected 14 million devices and rooted 8 million of them.
According to the expert, the new strain of Android malware dubbed CopyCat allowed its authors to earn $1.5 million from April to May 2016 by implementing an ad fraud scheme.
“Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues in two months.” states the analysis published by the researchers. “CopyCat is an extensive campaign that infected 14 million devices globally, rooting 8 million of them, in what researchers describe as an unprecedented success rate. Check Point researchers estimate that the malware generated $1.5 million for the group behind the campaign.”
Researchers with Check Point’s Mobile Research Team spotted CopyCat in March, the largest number of infections is in Southeast Asia (55%) and Africa (18%), but the infections in the US are increasing.
Attackers spread the malware by trojanizing popular apps that were made available for download on third-party app stores.
Once installed on the target mobile device, the malware waits for it reboot, then it downloads a series of exploits from an Amazon S3 bucket in order to root the device.
“Once the device has restarted, CopyCat downloads an “upgrade” pack from an S3 bucket, a web storage service provided by Amazon. This pack contains six common exploits with which the malware attempts to root the device.” continues the analysis.
“If successful, CopyCat installs another component to the device’s system directory, an activity which requires root permissions, and establishes persistency, making it difficult to remove”
The malicious code injects code into the Zygote process in the Android core that launches apps, with this technique the attackers gain admin privileges.
CopyCat isn’t the first malware targeting Zygote, in 2016 experts at Kaspersky and at Checkpoint found the Triada Android Trojan using the same technique.
According to the experts at Check Point, the authors of the CopyCat malware use to inject code into the Zygote process to get credit for fraudulently installed apps on the device by swapping out referrer IDs for legitimate apps with their own.
The crooks also earn money by displaying fake ads and installs fake apps.
The analysis of C&C servers revealed that between April and May the attackers served fake ads to 3.8 million of the devices while crooks were stealing credit for installing apps on Google Play from 4.4 million of other devices.
It’s interesting to note that the CopyCat malware used a bulk of old exploits to root millions of devices, such as the Towelroot, other exploits were from 2014 and 2013. This means that the success of the CopyCat attack that possible due to a large number of unpatched devices.
Malware experts believe that the Chinese MobiSummer ad network could be behind the CopyCat malware.
“It is unclear who is behind the CopyCat attack, however, there are several connections to MobiSummer, an ad network located in China. It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge.” states the analysis.
“The first connection between the company and the malware is the server, which operates both the malware and some of MobiSummer’s activity. In addition, some of the malware’s code is signed by MobiSummer itself, and some of the remote services used by the malware were created by the company. The malware also refrains from targeting Chinese devices, suggesting the malware developers are Chinese and want to avoid any investigation by local law enforcement, a common tactic in the malware world.”
Check Point reported findings of its investigation to Google.
[adrotate banner=”9″]
(Security Affairs – CopyCat Android malware, Android Malware)
[adrotate banner=”13″]