CopyCat Malware Affected Over 14 Million Android Devices: Check Point


  • CopyCat malware campaign stole ad revenues by installing fraud apps
  • It first infected the Android devices and then tried to root them
  • Google had quelled the CopyCat campaign and lowered the threat

The cyber threats have increasingly grown with time on multitude of platforms such as Android, Linux, and Windows to name a few. Researchers have now found that CopyCat Android malware had affected over 14 million devices last year, succeeding in rooting at least eight million of them. The malware made its way to the devices via malicious apps available inside illegitimate app markets, instead of Google Play, to earn as much as $1.5 million (roughly Rs. 9.6 crores) in fake ad revenues in two months, the researchers said.

A study conducted by Check Point researchers has revealed that the CopyCat malware could seep into the Android devices by harnessing six different vulnerabilities possessed by them, and used a novel technique to generate and steal ad revenues. It infected more than 280,000 Android users in the United States, while its major target was Southeast Asian countries. The CopyCat malware was being spread under a campaign and it used to infect device and subsequently root them, gaining the full control of the smartphone.

The researchers define CopyCat as “a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into the Zygote”, which is a primary Android app launching process. After a device is infected by CopyCat, it further holds itself until the device reboots and then it tries to root the device. As an attempt to root the device, the malware uses six vulnerabilities possessed by Android 5.0 Lollipop and earlier versions through an ‘upgrade’ acquired through Amazon Web Service storage. Although the flaws found by researchers was capable enough for earlier Android versions, it could still be persistent in the devices that have not been patched or updated in last two years.

As we said, after it exploits the vulnerabilities of Android, the CopyCat malware starts the malicious code injection process to the Zygote app launching process and then generates illicit revenue by installing apps and further replacing the user’s referrer ID with that of attackers. It additionally starts displaying fraud ads and apps. This kind of a technique was earlier used by the Triada Trojan, which targeted devices to gain superuser privileges before making use of regular Linux debugging tools to embed its DLL and infect mobile browsers.

Talking about the stats, about 26 percent of the CopyCat infected devices showed fraudulent advertisements, while a good 30 percent devices were operated to steal credit for downloading and installing the apps on the device. In addition, the study mentions that the malware also shared the device’s information to CopyCat’s control centres.

Google was able to subdue the impact of the CopyCat malware campaign back when the outbreak happened, gradually reducing the number of affected devices, however devices that haven’t been updated could still be open to attackers. We recommend users stick to official app stores for their app downloads.