Dubbed CopyCat, the malware has capabilities to root infected devices, found persistency, in addition to inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers total access to the devices.
Over xiv Million Devices Infected; 8 Million of them Rooted
According to the safety researchers at Check Point who discovered this malware strain, CopyCat malware has infected xiv 1 1000 1000 devices, rooted nearly 8 1 1000 1000 of them, had 3.8 1 1000 1000 devices serve ads, in addition to 4.4 1 1000 1000 of them were used to bag credit for installing apps on Google Play.
While the bulk of victims hitting past times the CopyCat malware resides inwards South in addition to Southeast Asia amongst Republic of Republic of India beingness the most affected country, to a greater extent than than 280,000 Android devices inwards the U.S.A. were too infected.
While there's no show that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads in addition to phishing attacks.
Like Gooligan, CopyCat malware too uses "state-of-the-art technology" to comport out diverse forms of promotion fraud.
CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), in addition to CVE-2014-3153 (Towelroot) to hitting devices running Android 5.0 in addition to earlier, which are all widely used in addition to really old, amongst the most recent uncovered 2 years ago.
The success of the drive clearly indicates that millions of Android users nevertheless rely on old, unpatched, unsupported devices.
Here's How CopyCat Infects Android Devices
CopyCat disguises every bit a pop Android app that users download from third-party stores. Once downloaded, the malware starts collecting information nigh the infected device in addition to downloads rootkits to handle root the victim's smartphone.
After rooting the Android device, the CopyCat malware removes safety defenses from the device in addition to injects code into the Zygote app launching procedure to fraudulently install apps in addition to display ads in addition to generate revenue.
"CopyCat abuses the Zygote procedure to display fraudulent ads piece hiding their origin, making it hard for users to sympathise what's causing the ads to pop-up on their screens," Check Point researchers say.
"CopyCat too installs fraudulent apps straight to the device, using a split upward module. These activities generate large amounts of profits for the creators of CopyCat, given a large set out of devices infected past times the malware."In simply 2 months of fourth dimension span, the CopyCat malware helped the hackers brand to a greater extent than than $1.5 Million inwards revenue. The bulk of turn a profit (over $735,000) came from nearly 4.9 1 1000 1000 faux installations on infected devices, which displays upward to 100 1 1000 1000 ads.
The bulk of victims are located inwards India, Pakistan, Bangladesh, Indonesia, in addition to Myanmar, though over 381,000 devices inwards Canada in addition to to a greater extent than than 280,000 devices inwards the U.S.A. are infected amongst CopyCat.
CopyCat Malware Spreads Using Chinese Advertising Network
While there's no guide show on who is behind the CopyCat malware campaign, researchers at Check Point found below-mentioned connections that dot hackers mightiness convey used Chinese advertising network 'MobiSummer' for the distribution of the malware.
- CopyCat malware in addition to MobiSummer operate on the same server
- Several lines of CopyCat's code is signed past times MobiSummer
- CopyCat in addition to MobiSummer live the same remote services
- CopyCat did non target Chinese users despite over one-half of the victims residing inwards Asia
"It is of import to regime annotation that piece these connections exist, it does non necessarily hateful the malware was created past times the company, in addition to it is possible the perpetrators behind it used MobiSummer’s code in addition to infrastructure without the firm’s knowledge" Check Point researchers say.Android users on older devices are nevertheless vulnerable to the CopyCat attack, but exclusively if they are downloading apps from third-party app stores.
In March 2017, Check Point researchers informed Google nigh the CopyCat campaign, in addition to the tech giant has already updated Play Protect to block the malware.
So, Android users fifty-fifty on older devices are protected through Play Protect, which is updated regularly every bit malware strains such every bit CopyCat proceed to grow.
