CopyCat, apparently a variant of a much larger family of malware, infected around 14 million Android devices with adware and rooted 8 million of them, making it impossible to remove the malware.
Adware generates revenue for the attackers
According to CheckPoint, the malware generated a revenue of $1.5 million through installing fake ads and apps. Also, the virus has been in the wild since last year.
The majority of the devices infected were found to be in Southeast Asia, followed by the U.S where 280,000 devices were infected.
Essentially, Asia accounted for 55% of the devices infected while Americas accounted for 12% of the total. The rest comprises of Africa (18%), Oceania (8%) and Europe (7%).
How does it work?
The malware is installed in apps that can be downloaded from third-party app stores. Once downloaded, the malware activates only after the infected device is restarted.
When a device is restarted, CopyCat starts to root the device in order to gain admin privileges. It does so through a group of exploits downloaded from the Amazon S3 bucket.
After the device has been rooted, the malware starts to install a component in the system’s directory which makes it impossible for the malware to be removed.
Finally, the malware reaches for Zygote, which is Android’s core process for downloading and installing apps. Once Zygote is infected, CopyCat gets admin rights and subsequently installs fake apps on the infected device.
The attacker gets revenue for replacing a genuine app’s referrer’s ID with a fake one. Moreover, the admin rights allow the attacker to generate revenue through having the malware post fake ads and install fraudulent apps.
CopyCat’s command-and-control (C&C) server
Researchers at Checkpoint also investigated the malware’s C&C server to get more insight as to how the malware works. Upon investigation, it was revealed that the data found on the server dates back to 2016 and earlier.
In fact, around 3.8 million devices were infected last year between the months of April and May while 4.4 million devices were infiltrated to install fake apps on Google Play and thereby generate revenue for the attacker.