A mobile malware that roots Android devices and commits both ad and app fraud has infected at least 14 million devices, at one point raking in $1.5 million during a peak two-month period in 2016, Check Point Software Technologies has reported.
Dubbed CopyCat, the malware is the first known adware that injects its code into Zygote, a daemon tasked with launching apps on Android devices. This dangerous technique gives the malware an extremely strong foothold on affected devices, allowing it to infiltrate the activity of all running apps, Check Point explained in a blog post and accompanying technical report.
Significantly, CopyCat steals credits earned by legitimate advertisers whenever one of their ads results in an application download. The malware accomplishes this by swapping out the ad company's real referrer ID with a fraudulent one. These credits are ultimately exchanged for revenue. According to Check Point researcher Daniel Padon, this technique has never been seen before, and is more lucrative than traditional ad fraud.
"There are many efforts by ad networks to detect and stop fraud from happening and this is actually a... way to do it without being detected," said Padon, in an interview with SC Media. "You have to be on the device itself [and monitoring] device activity to understand that fraud has actually taken place." Otherwise, the ad transaction "will look like a legitimate one from end to end."
CopyCat specifically scams Tune, a mobile analytics platform that tracks advertisements that result in a viewer downloading an app. According to Check Point's blog post, when an infected user visits Google Play, "CopyCat retrieves the package name of the app that the user is viewing on Google Play, and sends it to its command and control server. The server sends back a referrer ID suited for the package name. This referrer ID belongs to the creators of the malware, and will later be used to make sure the revenue for the installation is credited to them. CopyCat blocks all install_referrer intents and replaces them with its own referrer ID, which was received from the command and control server previously."
Victims of Copycat were infected by downloading malicious apps distributed by third-party stores unaffiliated with Google Play. Upon reporting CopyCat to Google in March 2017, Check Point learned from Google that the company had been aware of the campaign and had already taken steps to curtail its damage. Consequently, there are now fewer current infected devices than there were during CopyCat's two month peak period from April to May 2016, when it generated the vast majority of its revenue. (The earliest evidence of CopyCat traces back to March 2016, said Padon.)
“CopyCat is a variant of a broader malware family that we've been tracking since 2015," a Google spokesperson told SC Media in an emailed statement. "Each time a new variant appears, we update our detection systems to protect our users. Play Protect secures users from the family, and any apps that may have been infected with CopyCat were not distributed via Play. As always, we appreciate researchers' efforts to help keep users safe.”
The 14 million devices found infected by CopyCat are all linked to one command and control server, meaning there could be additional C&Cs linked to millions more victims. Of this lot, 55 percent of devices are based in Asia, with a heavy concentration in the Southeast Asia region, including India (3.84 million infections), Pakistan (1.06 million), Bangaldesh (1.03) and Indonesia (1.01 million). Africa saw 18 percent of infections and the Americas experienced 12 percent, with 280,000 infections in the U.S.
Eight million of the infected devices, or about 54 percent, were successfully rooted, an usually high share, Check Point noted.
In addition to stealing credits for app downloads, CopyCat also makes money by fraudulently delivering ads and downloading apps. Of the 14 million phones infected with the malware, 4.9 million were made to serve up apps, 4.4 million stole credits for app downloads and 3.8 million issued ads to their owners, Check Point reported. The app fraud activity generated $735,000 in ill-gotten revenues, while the credit stealing activity yielded at least $660,000 by very conservative estimates. The ad fraud activity has been responsible for displaying around 100 million ads, collectively worth around $120,000.
Regarding attribution, Check Point said that its researchers found some notable links between CopyCat and MobiSummer, an ad network based in China. For instance, the malware contains code signed by MobiSummer and uses remote services created by the ad network. Also, the two entities share a common server. While previous adware campaigns have been linked to Chinese online ad companies, it is also possible that CopyCat's authors could have simply borrowed MobiSummer's various assets without permission.