A CopyCat malware affected over 14 million Android devices a year ago, rooting eight million of them and earning the hackers behind the attack approximately $1.5 million in fake ad revenues in two months, Israel-based IT security provider Check Point has revealed.
"This is the first adware discovered using this technique", said Check Point researchers, while noting that the tactic first had been introduced by the money-stealing malware Triada. The attack primarily hit Android users in Asia but was relatively widespread, infecting more than 280,000 devices in the United States.
There was no evidence that CopyCat was distributed on Google Play Store.
CopyCat then injects code into the Zygote app launching process, allowing the attackers to receive revenues by getting credit for fraudulently installing apps by substituting the real referrer's ID with their own, Check Point explained in a blogpost.
In addition, CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it hard for the users to figure out why they are being assaulted by pop-ups. The mobile malware successfully rooted over 54 per cent of the devices it infected, an unusually high figure that's probably due to its use of five exploits as well as its overall sophistication.
Much of CopyCat's capabilities are derived from rooting the infected device as soon as the infection takes place.
At first glance the Copycat malware doesn't seem like a huge threat to end users. The two also use the same remote services. Some have accused Chinese ad network Mobisummer for the malware, since its name appears on some of the code. In its blog, Check Point admitted it's possible the hackers "used MobiSummer's infrastructure" without the firm's knowledge. The malware also made it onto some devices via phishing scams, the researchers noted.
The malware works by lingering until the smartphone is restarted. Unless the device is patched, the malware can stay inside the device essentially forever. It had the ability to gain root permissions, maintain persistence and control "any activity" on compromised devices. CopyCat then registers for several events on the system server.
Twenty-six percent of the infected devices were used to display the fake ads, while 30 percent of devices were used to steal credits through referral programs for downloading apps onto the device through the Google Play Store-even though the Google Play Store itself was not used to spread CopyCat. These predefined conditions are meant to minimize the user's suspicion, while disguising the app that's the source of the pop-up ads. It additionally starts displaying fraud ads and apps. CopyCat specifically targets the mobile ad firm Tune. The illegal apps were the cause of this particular malware which were within the non-legal app markets. How was this malware so successful?
"Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available", the research team said.