CopyCat Malware Infiltrated 14 Million Android Devices In 2016
Imitation may not be the sincerest or safest form of flattery. Check Point Software Technologies Ltd. researchers just revealed that CopyCat Android malware infected 14 million devices worldwide in 2016, and eight million of these infected devices were also rooted.
How was this malware so successful? According to Check Point, CopyCat has a modular structure. They noted, “This allows the malware developers to choose and change their strategy and the malware’s behavior on the device to accommodate their current target.” CopyCat mimicked popular apps that were spread through third-party distributors. The malware would then wait until a restart and then attempt to root the device.
The malware targeted Android 5.0 and earlier, and users who infrequently update their device. CopyCat primarily used the Rser and Acer modules -- Rser would copy other modules to the directory, while Acer would inject a shared library into the Zygote and system_server processes. The injected modules were able to steal credit card information, display fraudulent ads, and substitute the user's referrer ID with their own. It is believed that fraudulent ads were played on 26% of infected devices, while credit card information was stolen from another 30%.
CopyCat was prevalent throughout 2016, however, some areas were more affected by the malware than others. 55% of reported infected devices were from Asia, while only 280,000 devices were under attack in the United States. Europe and Australia also survived the malware attack relatively unscathed. The malware reached its peak in April and May 2016, but was soon after discovered by Google. Although the number of infected devices has greatly decreased, the malware may still be generating revenue.
It is currently unclear who is behind the attack. Some have accused Chinese ad network Mobisummer for the malware, since its name appears on some of the code. No one has owned up, however, and CopyCat currently seems destined for the trash bin.
The malware targeted Android 5.0 and earlier, and users who infrequently update their device. CopyCat primarily used the Rser and Acer modules -- Rser would copy other modules to the directory, while Acer would inject a shared library into the Zygote and system_server processes. The injected modules were able to steal credit card information, display fraudulent ads, and substitute the user's referrer ID with their own. It is believed that fraudulent ads were played on 26% of infected devices, while credit card information was stolen from another 30%.
CopyCat was prevalent throughout 2016, however, some areas were more affected by the malware than others. 55% of reported infected devices were from Asia, while only 280,000 devices were under attack in the United States. Europe and Australia also survived the malware attack relatively unscathed. The malware reached its peak in April and May 2016, but was soon after discovered by Google. Although the number of infected devices has greatly decreased, the malware may still be generating revenue.
It is currently unclear who is behind the attack. Some have accused Chinese ad network Mobisummer for the malware, since its name appears on some of the code. No one has owned up, however, and CopyCat currently seems destined for the trash bin.
