CopyCat malware infects 14 million Android devices, nets $1.5m

Android malware called ‘CopyCat’ was behind a massive ad fraud campaign that infected 14 million Android devices and gained root access to about 8 million of them, according to security firm Check Point. 

The company estimates that CopyCat’s operators have earned $1.5 million through fraudulently displayed ads mostly over a period of two months. 

Check Point notified Google of the malware in March and says Google claimed it was able to “quell the campaign”. As a result today there far fewer CopyCat infected devices than at the height of the campaign between April and May 2016.    

Check Point hasn’t identified the malware’s operator but notes in its report there are “several connections” to China-based ad network MobiSummer, such as a shared server. This could indicate it is CopyCat’s operator or that the firm is unwitting participant in someone else's fraud operation. 

Most of the infections were on devices in South East Asia, however CopyCat had also infected 280,000 devices in the US. The malware does not infect Android devices in China. Malware operators often avoid targeting devices in the same jurisdiction they operate in so as not to attract an investigation by local law enforcement. 

The 14 million devices served several purposes beyond displaying fraudulent ads to boost CopyCat’s revenues. The malware helped display 100 million ads on 3.8 million devices, generating about $120,000 for the attackers. 

However, 4.4 million devices were used to claim credit for fraudulent installations of apps promoted on Google Play, earning the attackers around $660,000. The largest source of revenue however were infected devices that installed 4.9 million apps, fraudulently earning the attacker over $735,000.

Android users who limit app installations to Google Play should be safe. Check Point has found no evidence of CopyCat trojan apps available on Google’s official Android app store. As with most Android malware, including instances where they’re distributed on Google Play, CopyCat is disguised as a legitimate app that victim’s install themselves. 

Much of CopyCat’s capabilities are derived from rooting the infected device as soon as the infection takes place. To gain root on infected devices, the malware carries an “exploit module” containing six older exploits, including the well-known Towlroot from 2014. The number of infections highlights Android’s patching historical problem, particularly for older and cheaper devices. 

Some 55 percent of CopyCat infections are in Asia, with 18 percent in Africa, 12 percent in the Americas, eight percent in Australia and New Zealand, and 7 percent inEurope. 

CopyCat was also notable as the first adware that injects code into Android’s “Zygote” process, a daemon responsible for launching all Android apps. This technique is borrowed from earlier Android financial malware designed to intercept SMS messages sent during confirmation of in-app purchases in order to redirect payment to the malware author rather than the app’s developer.  

“Since all apps in Android are processes launched from Zygote, injecting code directly into it allows the malware to infiltrate the activity of all running apps,” notes Check Point. 

CSO Australia has asked Google for comment and will update the story if it receives a response.