Cyber Crime

CopyCat Android malware infected 14 Million devices and rooted 8 Million

Researchers at Check Point spotted a new family of Android malware dubbed CopyCat that infected 14 million devices and rooted 8 million of them.

Researchers at Check Point’s Mobile Research Team have spotted a new family of Android malware that infected 14 million devices and rooted 8 million of them.

According to the expert, the new strain of Android malware dubbed CopyCat allowed its authors to earn $1.5 million from April to May 2016 by implementing an ad fraud scheme.

“Check Point researchers identified a mobile malware that infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues in two months.” states the analysis published by the researchers. “CopyCat is an extensive campaign that infected  14 million devices globally, rooting 8 million of them, in what researchers describe as an unprecedented success rate. Check Point researchers estimate that the malware generated $1.5 million for the group behind the campaign.”

Researchers with Check Point’s Mobile Research Team spotted CopyCat in March, the largest number of infections is in Southeast Asia (55%) and Africa (18%), but the infections in the US are increasing.

Attackers spread the malware by trojanizing popular apps that were made available for download on third-party app stores.

Once installed on the target mobile device, the malware waits for it reboot, then it downloads a series of exploits from an Amazon S3 bucket in order to root the device.

“Once the device has restarted, CopyCat downloads an “upgrade” pack from an S3 bucket, a web storage service provided by Amazon. This pack contains six common exploits with which the malware attempts to root the device.” continues the analysis.

“If successful, CopyCat installs another component to the device’s system directory, an activity which requires root permissions, and establishes persistency, making it difficult to remove”

The malicious code injects code into the Zygote process in the Android core that launches apps, with this technique the attackers gain admin privileges.

CopyCat isn’t the first malware targeting Zygote, in 2016 experts at Kaspersky and at Checkpoint found the Triada Android Trojan using the same technique.

According to the experts at Check Point, the authors of the CopyCat malware use to inject code into the Zygote process to get credit for fraudulently installed apps on the device by swapping out referrer IDs for legitimate apps with their own.

The crooks also earn money by displaying fake ads and installs fake apps.

The analysis of C&C servers revealed that between April and May the attackers served fake ads to 3.8 million of the devices while crooks were stealing credit for installing apps on Google Play from 4.4 million of other devices.

It’s interesting to note that the CopyCat malware used a bulk of old exploits to root millions of devices, such as the Towelroot, other exploits were from 2014 and 2013. This means that the success of the CopyCat attack that possible due to a large number of unpatched devices.

Malware experts believe that the Chinese MobiSummer ad network could be behind the CopyCat malware.

“It is unclear who is behind the CopyCat attack, however, there are several connections to MobiSummer, an ad network located in China. It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge.” states the analysis.

“The first connection between the company and the malware is the server, which operates both the malware and some of MobiSummer’s activity. In addition, some of the malware’s code is signed by MobiSummer itself, and some of the remote services used by the malware were created by the company. The malware also refrains from targeting Chinese devices, suggesting the malware developers are Chinese and want to avoid any investigation by local law enforcement, a common tactic in the malware world.”

Check Point reported findings of its investigation to Google.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – CopyCat Android malware, Android Malware)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

14 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.