Posted on July 10, 2017 at 12:55 PM
Millions of Android devices have found themselves under another malware attack. This one, called CopyCat, has collected more than million dollars. It did so through fake ads and app installations, according to Check Point’s researchers.
According to them, this malware is currently investing around 14 million Android devices and has made over $1.5 million in April and May of 2016. The malware seems to have spread through phishing attacks and third-party app stores. Despite the fact that it targets Android devices, it actually didn’t come from the Google Play Store.
According to Check Point’s mobile security researcher, Daniel Padon, the company has notified Google as soon as the malware was discovered. However, Google has already been working on solving the problem at that point. According to them, less than 50,000 Android devices are still infected.
New protections have been developed since, and Google has delivered them even to the devices with older systems. Still, the malware was quite successful, and while in full force, it got root control on 8 million devices. After that, it served over 100 million fake ads, and also installed 4.9 million apps on infected devices.
Several exploits were used in order to do all this, and they did it through multiple flaws in Android devices with system version 5 and earlier. They also managed to hijack ‘Zygote’, which is one of Android software functions. In fact, this is the one responsible for managing app launches.
It is an entirely new technique used by adware, and it was first introduced by malware called Triada.
Now, when it comes to CopyCat, it mostly targeted Southeast Asia. Most of its victims are located in Pakistan, India, and Bangladesh. However, that doesn’t mean that the rest of the world was not affected.
Only in the US, there were 280,000 infected devices. On the other hand, it would seem that China was avoided on purpose, which means that this may be where the hackers are from.
In fact, researchers have even managed to track CopyCat back to a 3-year-old ad-tech startup. It was called MobiSummer, and it was based in Guangzhou, China. Still, even with all those connections, there was still the possibility that the company was only used by hackers, without even knowing it.
Google itself got very interested in this malware, and it kept tabs on its progress ever since. Google Play Protect, which is the company’s official security feature, will scan the infected devices and remove malicious apps. The same treatment will be provided for phones with older systems as well.
As for CopyCat itself, it is a part of a pretty big malware family that was tracked since 2015. Google is increasing their defenses each time when a new part of the ‘family’ appears.
This method of fraudulent advertising has become an easy way for criminals to earn online. Many such scams were discovered by Check Point and similar security companies. One of them, HummingBad, managed to earn its hackers $300,000 per month.
Another one called Gooligan has stolen authentication tokens for over 1 million accounts from Google. Two more left such an impression, and those are Methbot and YiSpecter.