A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months.
Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers full access to the devices.
Over 14 Million Devices Infected; 8 Million of them Rooted
According to the security researchers at Check Point who discovered this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play.
While the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected.
While there's no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks.
Like Gooligan, CopyCat malware also uses "state-of-the-art technology" to carry out various forms of advertisement fraud.
CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago.
The success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices.
A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months. Dubbed CopyCat, the malware has capabilities to root infected devices, establish persistency, and inject malicious code into Zygote – a daemon responsible for launching apps on Android, providing the hackers full access to the devices. Over 14 Million Devices Infected; 8 Million of them Rooted According to the security researchers at Check Point who discovered this malware strain, CopyCat malware has infected 14 million devices, rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play. While the majority of victims hit by the CopyCat malware resides in South and Southeast Asia with India being the most affected country, more than 280,000 Android devices in the United States were also infected. While there's no evidence that the CopyCat malware has been distributed on Google Play, the Check Point researchers believe that millions of victims got infected through third-party app downloads and phishing attacks. Like Gooligan, CopyCat malware also uses "state-of-the-art technology" to carry out various forms of advertisement fraud. CopyCat uses several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to hit devices running Android 5.0 and earlier, which are all widely used and very old, with the most recent uncovered 2 years ago. The success of the campaign clearly indicates that millions of Android users still rely on old, unpatched, unsupported devices.
Here's How CopyCat Infects Android Devices
CopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim's smartphone.
After rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue.
"CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what's causing the ads to pop-up on their screens," Check Point researchers say.
"CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware."
In just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads.
The majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat.
Here's How CopyCat Infects Android Devices CopyCat disguises as a popular Android app that users download from third-party stores. Once downloaded, the malware starts collecting data about the infected device and downloads rootkits to help root the victim's smartphone. After rooting the Android device, the CopyCat malware removes security defenses from the device and injects code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue. "CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what's causing the ads to pop-up on their screens," Check Point researchers say. "CopyCat also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given a large number of devices infected by the malware." In just two months of time span, the CopyCat malware helped the hackers make more than $1.5 Million in revenue. The majority of profit (over $735,000) came from nearly 4.9 million fake installations on infected devices, which displays up to 100 million ads. The majority of victims are located in India, Pakistan, Bangladesh, Indonesia, and Myanmar, though over 381,000 devices in Canada and more than 280,000 devices in the U.S. are infected with CopyCat.
