The CopyCat adware that infected over 14 million Android devices before Google took steps to mitigate its spread employs advanced evasion techniques to avoid detection, including the use of Amazon Web Services and the segmentation of malicious APK files, according to new research.
Mobile security company Appthority detailed the lengths to which CopyCat goes to elude intrusion prevention and detection systems in a blog post on Thursday. Appthority explained that by leveraging AWS, the malware’s activity will look like legitimate traffic to an enterprise’s security systems and thus may not be blocked. Additionally, the use of AWS provides the attackers with a robust architecture, secure communications, and faster development time, the blog post continues.
Appthority has disclosed its findings to AWS, including the malware author’s AWS S3 Internet storage credentials, which were found stored in clear text. If AWS cancels the malicious accounts, then CopyCat’s current threat level “can be minimized if not eliminated,” the blog post states. In the meantime, even though the malware is no longer significantly spreading, it remains active on many devices that were previously infected.
Additionally, Appthority researchers found that CopyCat’s authors segmented the malware into separate, incomplete zip files, again to evade anti-intrusion systems that normally can extract zip files from a network stream for further analysis.
“CopyCat is malware that experienced financial success and was able to avoid detection for about a year. While the malicious functions it performed were all too common, the innovations in evasion due to AWS delivery, and segmentation of the APK represent the next level of escalation in the mobile malware arms race,” Appthority concludes in its blog post. “We shouldn’t be surprised, but we should be concerned about the increasing level of sophistication represented by such capabilities in malware’s ability to remain hidden while it performs its malicious actions.”