Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

CopyCat adware uses Amazon Web Services, APK segmentation to evade detection


The CopyCat adware that infected over 14 million Android devices before Google took steps to mitigate its spread employs advanced evasion techniques to avoid detection, including the use of Amazon Web Services and the segmentation of malicious APK files, according to new research.

Mobile security company Appthority detailed the lengths to which CopyCat goes to elude intrusion prevention and detection systems in a blog post on Thursday. Appthority explained that by leveraging AWS, the malware's activity will look like legitimate traffic to an enterprise's security systems and thus may not be blocked. Additionally, the use of AWS provides the attackers with a robust architecture, secure communications, and faster development time, the blog post continues.

Appthority has disclosed its findings to AWS, including the malware author's AWS S3 Internet storage credentials, which were found stored in clear text. If AWS cancels the malicious accounts, then CopyCat's current threat level "can be minimized if not eliminated," the blog post states. In the meantime, even though the malware is no longer significantly spreading, it remains active on many devices that were previously infected.

Additionally, Appthority researchers found that CopyCat's authors segmented the malware into separate, incomplete zip files, again to evade anti-intrusion systems that normally can extract zip files from a network stream for further analysis.

"CopyCat is malware that experienced financial success and was able to avoid detection for about a year. While the malicious functions it performed were all too common, the innovations in evasion due to AWS delivery, and segmentation of the APK represent the next level of escalation in the mobile malware arms race," Appthority concludes in its blog post. "We shouldn't be surprised, but we should be concerned about the increasing level of sophistication represented by such capabilities in malware's ability to remain hidden while it performs its malicious actions."

CopyCat was initially discovered by researchers at Check Point Software Technologies, which published a blog post and technical report on the threat earlier this month.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.