CopyCat is an adware (a malware that injects ads on victims device to generate revenue) that affected over 14 million Android users in the span of 2 months. It raked over $1.5 million via fraudulent app installations and advertising with peak activity during April & May 2016.
How did CopyCat malware spread?
Unlike older adwares, CopyCat spread via 3rd party app stores and standard phishing attacks. With increased security checks in the Google Play, the architects of CopyCat chose not to host it on the official market.
How does CopyCat work?
CopyCat once installed from a 3rd party app store or a phishing campaign. injected advertisements in the browsers and other applications of a victim's device and when the victim clicked them, it earned money.
Moreover, after installation, the malware fetched information about the device and used specific exploits to root (A process where an app gains highest available privileges allowing it to alter the core architecture of the device) the victim's device. This allowed CopyCat to further install rootkits to make itself persistent in the victim's phone.
After gaining root access, the malware could then install fraudulent apps, monitor app installations and app launches to display targeted ads and altered the refer-install mechanism to steal the installation revenue.
All this was done via infecting the Android Zygote Daemon(A service in Android devices that is responsible for launching apps on the device). This allowed the attacker complete access to the victim's device.
CopyCat used several exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to infect devices running Android 5.0 and lower, which is although very old but widely used.
What was the impact of CopyCat?
CopyCat infected over 14 million devices out of which, 8 million were rooted ie complete high privileged access. Out of these 8 million, 3.8 million devices were infected with adware and 4.4 million were used to steal credit card information.
In this span of 2 months, it earned over $1.5 million via fraud app installations & displaying over 100 million advertisements.
Which parts of the world did CopyCat hit the worst?
CopyCat primarily affected devices in the Southeast Asia, mainly spanning to India, Pakistan & Bangladesh.
Although in the Unites States over 280,000 devices were infected. Interestingly, Chinese users were not infected indicating the attack to be originated from China.
Who is behind CopyCat?
Though it lacks any direct evidence, researchers at CheckPoint suggested the responsible party being a Chinese advertising network MobiSummer.
The researcher found following connections between CopyCat & MobiSummer:
1. CopyCat malware and MobiSummer operate on the same server
2. Several lines of CopyCat's code is signed by MobiSummer 3.
CopyCat and MobiSummer use the same remote services
4. CopyCat did not target Chinese users despite over half of the victims residing in Asia
What can users do to protect themselves?
According to the spokesperson at Bugsbounty, users should take the following precautions:
1. Install applications only from the Google Play Store and not use any 3rd party app stores
2. Make sure that the option for allowing app from unknown sources is unchecked in the Android settings
3. Avoid installing apps with < 50,000 downloads and enough reviews & ratings.
4. Check the app permissions before installing. The app should only take permissions that are relevant to it. If a flashlight app needs permission for SMS & contacts it is definitely malicious
5. Update to the latest version of Android if possible
6. Specifically disallowing apps specific permissions from the settings if your phones allow it.