14 Million Android Smartphones are Infected by CopyCat Malware

Mobile App Protection

What's CopyCat malware and how dangerous it is


By Parthipan Baktavatsalam  Project Manger

A newly uncovered malware strain has already infected more than 14 Million Android devices around the world, earning its operators approximately $1.5 Million in fake ad revenues in just two months.

CopyCat is primarily designed to generate and steal ad revenues. Once installed, the adware lies in waiting until the device is restarted, so that a connection isn’t made between the installation of the app and the malicious activity. Once the device has restarted, CopyCat downloads an “upgrade” pack from an S3 bucket, a web storage service provided by Amazon. This pack contains six common exploits with which the malware attempts to root the device. If successful, CopyCat installs another component to the device’s system directory, an activity which requires root permissions, and establishes persistency, making it difficult to remove.

How did CopyCat contaminate Apps?

Injecting the code into Zygote (a daemon responsible for launching apps in the Android operating system) which allows culprits to receive revenues by getting credit for fraudulently installing apps. They achieve this after substituting the real referrer’s ID with their own.

This technique was first used by the Triada Trojan. The malware targeted the same process to gain superuser privileges before using regular Linux debugging tools to embed its DLL and target mobile browsers.

According to the researchers, the campaign was spread via popular apps, repackaged with the malware and downloaded from third party app stores, as well as phishing scams. There was no evidence that CopyCat was distributed on Google Play Store.

The Copycat adware were detected during March 2017 and the researchers claim the Copycat primarily contaminated Android owners within the countries of Southeast Asia; however, Android owners numbering 280,000-and-more in USA too were contaminated. As per researchers, Asia was attributed with 55% of CopyCat contaminations, while Africa with 18% ranked No.2 on the list of countries with most contaminated Android gadgets.

CopyCat adware transmits monetary earnings to hackers, the income acquired from pop-up ads of applications rather than to app developers. In a computation by researchers maximum of 4.9m fake applications got planted onto infected devices, generating a maximum of 100m advertisements. Within sixty days, CopyCat accounted an income of $1.5m-and-more that it transmitted to cyber-criminals.

What are the risks for businesses?

  • Theft of sensitive information – Some adware, such as Gooligan, steal sensitive information from their victims, which can later be sold to third parties;
  • Device rooting or jailbreaking – Adware frequently roots or jailbreaks devices, thereby breaking the built-in security mechanisms of Android or iOS, leaving victims defenseless to even the lowest level kind of hacks;
  • Evolving attack objectives – The bad guys behind adware campaigns may refocus their attacks, spreading different types of malware to rooted or jailbroken devices, or use them to create Denial of Service attacks;
  • Code sharing with hacking community – The sophisticated capabilities developed by adware developers can be adopted by other malware developers, and used to commit bigger crimes, as witnessed in the Vault 7 leak.

Reverse engineering a popular legitimate app not only means that victims are much more likely to download it, but a functional clone will also mean they have no idea their device has been compromised, leaving the attacker free to continually harvest data or infect others.  Despite the clear risks of using third party sources to download apps, the practice is still very common – with, for example, large numbers of users using unauthorised sources to download Pokémon Go last summer as it was not released in their regions.

How can Quixxi help?

Quixxi can help to prevent the situation happening to your app. Quixxi’s security framework protects any app using state-of-the-art encryption, thereby making it virtually impossible to hack into the source code/IP of any android app.

Quixxi provides anti-tampering solutions such as

  • Multi-layered protection to resource files and class files
  • Checksum/integrity verification
  • Encryption of strings
  • Method calls and field names hiding in class files
  • Loading the logic at runtime from low layer libraries

Having an impermeable security wrap such as Quixxi around an application, makes it impossible for hackers to infect or replicate the original apps into third-party marketplaces or portals. In an ideal world, with all the mobile applications wrapped with such a security framework, we can block access to the very source that a hacker requires to initiate an attack.

Find out more about protecting your app from data security breaches and reverse engineering hacks by visiting our websitehttps://quixxi.com/