There is a new malware that’s affecting Android smartphones. In the past two months, this has affected over 14 million Android users. It raked over $1.5 million via fraudulent app installations and advertising with peak activity during April & May 2016.
How CopyCat malware spread?
CopyCat spread via 3rd party app stores and standard phishing attacks. With increased security checks in the Google Play, the architects of CopyCat chose not to host it on the official market. So, if you are downloading all the apps from Play Store you are safe.
How does CopyCat work?
CopyCat once installed from a 3rd party app store or a phishing campaign. injected advertisements in the browsers and other applications of a victim’s device and when the victim clicked them, it earned money. Moreover, after installation, the malware fetched information about the device and used specific exploits to root the victim’s device. This allowed CopyCat to further install rootkits to make itself persistent in the victim’s phone. After gaining root access, the malware could then install fraudulent apps, monitor app installations and app launch to display targeted ads and altered the refer-install mechanism to steal the installation revenue. All this was done via infecting the Android Zygote Daemon(A service in Android devices that is responsible for launching apps on the device). This allowed the attacker complete access to the victim’s device. CopyCat used several exploits, including CVE-2013-6282, CVE-2015-3636, and CVE-2014-3153 to infect devices running Android 5.0 and lower, which is although very old but widely used.
Impact of CopyCat
It has infected over 14 million devices out of which, 8 million were rooted ie complete high privileged access. Out of these 8 million, 3.8 million devices were infected with adware and 4.4 million were used to steal credit card information. In this span of 2 months, it earned over $1.5 million via fraud app installations & displaying over 100 million advertisements. CopyCat primarily affected devices in the Southeast Asia, mainly spanning to India, Pakistan & Bangladesh. Although in the Unites States over 280,000 devices were infected. Interestingly, Chinese users were not infected indicating the attack to be originated from China.
What can users do to protect themselves?
According to Bug bounty, users should take the following precautions:
- Install applications only from the Google Play Store and not use any 3rd party app stores
- Make sure that the option for allowing app from unknown sources is unchecked in the Android settings
- Avoid installing apps with < 50,000 downloads and enough reviews & ratings
- Check the app permissions before installing. The app should only take permissions that are relevant to it. If a flashlight app needs permission for SMS & contacts it is definitely malicious
- Update to the latest version of Android if possible
- Specifically disallowing apps specific permissions from the settings if your phones allow it.
Stay safe from all the malware around and download apps only from Play Store, always. Follow us on Twitter for more news and updates.
Feature image credits