A new piece of adware dubbed CopyCat has infected 14 million Android devices around the world, according to researchers at security firm Check Point.
CopyCat netted its distributors approximately $1.5 million in fake ad revenues in just two months, Check Point’s mobile research team wrote in a blog post. The malware is predominantly spreading to Android devices in Southeast Asia, but has already hit more than 280,000 handsets in the US.
“CopyCat is a fully developed malware with vast capabilities,” the researchers wrote. Upon infection, CopyCat attempts to root a user’s device to gain full control of the handset. It then injects code into the operating system’s Zygote app launching process; this code allows the malware to “intervene in any activity on the device.”
The malware uses two tactics to abuse the Zygote process and steal ad revenue — it displays fraudulent pop-up ads on a user’s screen and steals app installation credits. It also installs fraudulent apps directly onto the device, netting its creators even more money.
As Check Point explained, advertisers are paid for displaying ads that lead to the installation of certain apps. CopyCat scams the mobile analytics platform Tune to fraudulently earn its revenue.
“CopyCat retrieves the package name of the app that the user is viewing on Google Play, and sends it to its Command and Control server,” the researchers wrote. “The server sends back a referrer ID suited for the package name. This referrer ID belongs to the creators of the malware, and will later be used to make sure the revenue for the installation is credited to them.”
The researchers say these tactics “generate large amounts of profits for the creators of CopyCat, given the large number of devices infected by the malware.”
CopyCat has managed to root 8 million of the 14 million devices it has infected. The campaign peaked between April and May 2016, spreading through phishing scams and popular apps that were repackaged with the malware and offered for download on third-party app stores. Check Point said there’s “no evidence” the malware made its way into Google Play.
Check Point discovered the malware after CopyCat attacked a business customer; it informed Google about it in March.
“According to Google, they were able to quell the campaign, and the current number of infected devices is far lower than it was at the time of the campaign’s peak,” Check Point wrote. “Unfortunately, devices infected by CopyCat may still be affected by the malware even today.”