Ruining your Android experience 101: CopyCat Malware

A new piece of adware dubbed CopyCat has infected 14 million Android devices around the world, according to researchers at security firm Check Point.

CopyCat netted its distributors approximately $1.5 million in fake ad revenues in just two months, the malware is predominantly spreading to Android devices in Southeast Asia, but has already hit more than 280,000 handsets in the US.

CopyCat is a fully developed malware with vast capabilities," the researchers wrote. Upon infection, CopyCat attempts to root a user's device to gain full control of the handset. It then injects code into the operating system's Zygote app launching process; this code allows the malware to "intervene in any activity on the device.

The malware uses two tactics to abuse the Zygote process and steal ad revenue — it displays fraudulent pop-up ads on a user's screen and steals app installation credits. It also installs fraudulent apps directly onto the device, netting its creators even more money.

CopyCat retrieves the package name of the app that the user is viewing on Google Play, and sends it to its Command and Control server," the researchers wrote. The server sends back a referrer ID suited for the package name. This referrer ID belongs to the creators of the malware, and will later be used to make sure the revenue for the installation is credited to them.

CopyCat has managed to root 8 million of the 14 million devices it has infected. The campaign peaked between April and May 2016, spreading through phishing scams and popular apps that were repackaged with the malware and offered for download on third-party app stores. Check Point said there's "no evidence" the malware made its way into Google Play.

If you’re interested in numbers, after the infection of CopyCat, about 3.8 million devices served fraudulent ads, 4.9 million fake apps were installed, and 4.4 million devices stole credit for installing applications. It should be noted that the CopyCat malware reached its peak between April and May 2016.

As more than 50% of the devices were rooted due to outdated security patches, just like any other operating system, Android users must keep their systems updated and follow standard security practices.

According to Google, they were able to quell the campaign, and the current number of infected devices is far lower than it was at the time of the campaign's peak," Check Point wrote. "Unfortunately, devices infected by CopyCat may still be affected by the malware even today."