While an Android-targeting malware attack called CopyCat peaked more than one year ago, some devices might still be infected today, according to a report by the IT security firm Check Point.
The security company was alerted to the malware when a business customer using Check Point’s mobile security solution reported an attack on its devices. Check Point was then able to reverse-engineer CopyCat to determine how it worked, spread, and generated revenues for the hackers responsible. The malware affected mostly Android users in Southeast Asia, although some 280,000 devices in the U.S. were also infected, Check Point said.
Check Point’s investigation concluded that CopyCat infected some 14 million Android devices, rooting around 8 million of them, which means the attackers had complete control of the devices’ systems. By fraudulently installing apps with their own referrer IDs on infected devices, the hackers were able to generate around $1.5 million in ad credit revenues.
Spread via 3rd-Party App Stores, Phishing
“CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote — a daemon responsible for launching apps in the Android operating system — that allows the malware to control any activity on the device,” the Check Point mobile research team wrote yesterday on the company’s blog.
Check Point’s research found the malware most likely spread via popular apps downloaded from third-party app stores, rather than from Google’s Play Store. The malware also made it onto some devices via phishing scams, the researchers noted.
“In March 2017, Check Point informed Google about the CopyCat campaign and how the malware operated,” they said. “According to Google, they were able to quell the campaign, and the current number of infected devices is far lower than it was at the time of the campaign’s peak. Unfortunately, devices infected by…