CopyCat is an adware
(a malware that injects ads on victims device to generate revenue) that
affected over 14 million Android users in the span of 2 months. It raked over
$1.5 million via fraudulent app installations and advertising with peak
activity during April & May 2016.
How did CopyCat
malware spread?
Unlike older adwares,
CopyCat spread via 3rd party app stores and standard phishing attacks. With
increased security checks in the Google Play, the architects of CopyCat chose
not to host it on the official market.
How does CopyCat work?
CopyCat once installed
from a 3rd party app store or a phishing campaign. injected advertisements in
the browsers and other applications of a victim's device and when the victim
clicked them, it earned money.
Moreover, after
installation, the malware fetched information about the device and used
specific exploits to root (A process where an app gains highest available
privileges allowing it to alter the core architecture of the device) the
victim's device. This allowed CopyCat to further install rootkits to make
itself persistent in the victim's phone.
After gaining root
access, the malware could then install fraudulent apps, monitor app
installations and app launches to display targeted ads and altered the
refer-install mechanism to steal the installation revenue.
All this was done via
infecting the Android Zygote Daemon(A service in Android devices that is
responsible for launching apps on the device). This allowed the attacker
complete access to the victim's device.
CopyCat used several
exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and
CVE-2014-3153 (Towelroot) to infect devices running Android 5.0 and lower,
which is although very old but widely used.
What was the impact of
CopyCat?
CopyCat infected over
14 million devices out of which, 8 million were rooted ie complete high
privileged access. Out of these 8 million, 3.8 million devices were infected
with adware and 4.4 million were used to steal credit card information.
In this span of 2 months,
it earned over $1.5 million via fraud app installations & displaying over
100 million advertisements.
Which parts of the
world did CopyCat hit the worst?
CopyCat primarily
affected devices in the Southeast Asia, mainly spanning to India, Pakistan
& Bangladesh.
Although in the Unites
States over 280,000 devices were infected. Interestingly, Chinese users were
not infected indicating the attack to be originated from China.
Who is behind CopyCat?
Though it lacks any
direct evidence, researchers at CheckPoint suggested the responsible
party
being a Chinese advertising network MobiSummer.
The researcher found
following connections between CopyCat & MobiSummer:
1. CopyCat malware and
MobiSummer operate on the same server
2. Several lines of
CopyCat's code is signed by MobiSummer 3.
CopyCat and MobiSummer
use the same remote services
4. CopyCat did not
target Chinese users despite over half of the victims residing in Asia
What can users do to
protect themselves?
According to the
spokesperson at Bugsbounty, users should take the following precautions:
1. Install
applications only from the Google Play Store and not use any 3rd party app
stores
2. Make sure that the
option for allowing app from unknown sources is unchecked in the Android
settings
3. Avoid installing
apps with < 50,000 downloads and enough reviews & ratings.
4. Check the app
permissions before installing. The app should only take permissions that are
relevant to it. If a flashlight app needs permission for SMS & contacts it
is definitely malicious
5. Update to the
latest version of Android if possible
6. Specifically
disallowing apps specific permissions from the settings if your phones allow
it.