While an Android-targeting malware attack called CopyCat peaked more than one year ago, some devices might still be infected today, according to a report by the IT security firm Check Point.
The security company was alerted to the malware when a business customer using Check Point's mobile security solution reported an attack on its devices. Check Point was then able to reverse-engineer CopyCat to determine how it worked, spread, and generated revenues for the hackers responsible. The malware affected mostly Android users in Southeast Asia, although some 280,000 devices in the U.S. were also infected, Check Point said.
Check Point's investigation concluded that CopyCat infected some 14 million Android devices, rooting around 8 million of them, which means the attackers had complete control of the devices' systems. By fraudulently installing apps with their own referrer IDs on infected devices, the hackers were able to generate around $1.5 million in ad credit revenues.
Spread via 3rd-Party App Stores, Phishing
"CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote -- a daemon responsible for launching apps in the Android operating system -- that allows the malware to control any activity on the device," the Check Point mobile research team wrote yesterday on the company's blog.
Check Point's research found the malware most likely spread via popular apps downloaded from third-party app stores, rather than from Google's Play Store. The malware also made it onto some devices via phishing scams, the researchers noted.
"In March 2017, Check Point informed Google about the CopyCat campaign and how the malware operated," they said. "According to Google, they were able to quell the campaign, and the current number of infected devices is far lower than it was at the time of the campaign's peak. Unfortunately, devices infected by CopyCat may still be affected by the malware even today."
'Significant Threat to Users & Businesses'
Check Point said malware like CopyCat threatens users by breaking built-in device security, allowing the spread of other malware or denial-of-service attacks, being shared and adapted by other hackers, and enabling the theft of sensitive information that can be sold to third-party buyers.
"The preponderance of malware focused on skimming profit from the ad industry, and the ingenious technical approaches deployed, indicate just how lucrative it is for cybercriminals to engage in adware campaigns," the research team said. "But adware poses a significant threat to users and businesses, alike . . . Attackers need nothing more than a compromised mobile device connected to the corporate network to breach the business' complete network and gain access to sensitive data."
To protect against such malware, individuals and business users should ensure their devices have advanced protection with static and dynamic app analysis that can identify and block zero-days, Check Point said.
"Users and enterprises should treat their mobile devices just like any other part of their network, and protect them with the best cybersecurity solutions available," the research team said.