CopyCat Malware Infects Android Devices
July 8, 2017
Shah Sheikh (1294 articles)

CopyCat Malware Infects Android Devices

A new piece of adware dubbed CopyCat has infected 14 million Android devices around the world, according to researchers at security firm Check Point.

CopyCat netted its distributors approximately $1.5 million in fake ad revenues in just two months, Check Point’s mobile research team wrote in a blog post. The malware is predominantly spreading to Android devices in Southeast Asia, but has already hit more than 280,000 handsets in the US.

CopyCat attempts to root a user’s device to gain full control of the handset. It then injects code into the operating system’s Zygote app launching process; this code allows the malware to “intervene in any activity on the device.”

The malware uses two tactics to abuse the Zygote process and steal ad revenue — it displays fraudulent pop-up ads on a user’s screen and steals app installation credits. It also installs fraudulent apps directly onto the device, netting its creators even more money.

As Check Point explained, advertisers are paid for displaying ads that lead to the installation of certain apps. CopyCat scams the mobile analytics platform Tune to fraudulently earn its revenue.

“CopyCat retrieves the package name of the app that the user is viewing on Google Play, and sends it to its Command and Control server. The server sends back a referrer ID suited for the package name. This referrer ID belongs to the creators of the malware, and will later be used to make sure the revenue for the installation is credited to them.”


CopyCat has managed to root 8 million of the 14 million devices it has infected. The campaign peaked between April and May 2016, spreading through phishing scams and popular apps that were repackaged with the malware and offered for download on third-party app stores.

Check Point discovered the malware after CopyCat attacked a business customer; it informed Google about it in March.

Source | PCMag