A new malware called CopyCat malware hit more than 14 million Android devices around the world, rooting phones and kidnapping applications to make millions in fraudulent advertising revenue.
“Copycat is a mobile malware for Android devices that use the technology to make fraudulent advertisements. As a result of infection, the root user’s device, allowing attackers to get full control of the device.
The malware was discovered by Check Point security researchers. Malware has rooted in infected devices and uses several exploits, including CVE-2013-6282 (VROOT) CVE-2015-3636 (PingPongRoot) and CVE-2014-3153 (Towelroot) to infect devices with Android 5.0 ( Lollipop) and previous ones.
“Abuse Copycat zygote fraudulent process to show ads, hiding its origins, which makes it difficult for users to understand what is causing the ads being distributed on their screens.”
Malware can replace reference ID applications with their own IDs, so each ad that appears in the posted attacker’s email rather than the author’s request. From time to time, he also launched his own announcements an extra dollar.
“Copycat malware attempts to find a reference ID for this shared local preference packet. If this identifier is not found, CopyCat malware sends a request to the server and http://api.tracksummer.com/api/v1/get uses the answer as Reference ID, which is a value used in advertising tracking and attributing to the editor who promoted the application and getting the money for the installation campaigns. With CopyCat ID fraud reference creates the intention of INSTALL_REFERRER and sets the additional “flag” field Of value “20”, to avoid being blocked by its own injected form. ”
CopyCat malware spreads through the Chinese advertising network
Although there is no direct evidence of who is behind the campaign malware of CopyCat, the researchers found Find the links above point out that hackers could use the Chinese MobiSummer advertising network for malware distribution.
- CopyCat malware and MobiSummer work on the same server
- Different code lines are signed by CopyCat MobiSummer
- CopyCat malware and MobiSummer use the same remote services
- CopyCat malware was not addressed to Chinese users, although more than half of the victims lived in Asia
“It’s important to note that while these connections exist, it does not necessarily mean that the malware was created by the company, and it is possible that behind it the authors used the code and the MobiSummer infrastructure without the knowledge of the company,” researchers say at Check Point.
Android devices older devices are still vulnerable to CopyCat malware attacks, but only when downloading applications store third-party applications.
In March 2017, researchers at Check Point reported to Google on the CopyCat campaign and giant technology has already upgraded Protect game to block malware.
Therefore, Android users, even on older devices, are protected by Play Protect, which is regularly updated as a variety of CopyCat malware continues to grow.
Although there is no direct evidence of who is behind CopyCat campaign malware, the researchers found the link above points indicate that hackers could use the MobiSummer Chinese advertising network for malware distribution.
CopyCat malware and MobiSummer operate on the same server with several lines of CopyCat code signed by MobiSummer CopyCat malware and MobiSummer using the same remote CopyCat services addressed to Chinese users, although more than half of Asia-resident victims “it is important to note that while These connections exist does not necessarily mean that the malware was created by the company, and it is possible behind it that the authors using the code and MobiSummer infrastructure without the knowledge of the company, “say check Point researchers.