CopyCat numbers

For the past year and a half, an Android adware family known as CopyCat has infected over 14 million devices, rooted around 8 million, and made over $1.5 million for its owners.

The adware was capable of doing all these because it included five exploits that allowed it to root Android devices and then tap into Zygote, the name of Android's core OS processes, a mechanism that controls app launching operations.

According to a technical report released last night by Israeli security firm Check Point, the CopyCat adware used the following rooting exploits: CVE-2014-4321, CVE-2014-4324, CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot).

All these exploits work only on older devices, running Android 5 or earlier. In normal circumstances, exploits that target older software versions are inefficient, but the Android ecosystem is mainly made up of phones running older Android OS versions, meaning the crooks had a large userbase to target.

CopyCat adware has ties to Chinese ad firm

The majority of infected phones were located in Southeast Asia. Users got infected with tainted apps installed from forums or third-party app stores.

Curiously, the CopyCat malware was specifically configured to avoid infecting Chinese users. This was most likely because the malware's authors are located in the country, and they wanted to avoid arousing the scrutiny of Chinese authorities.

Check Point claims it traced back connections between the malware's infrastructure and MobiSummer, an ad network located in China, but could not determine if the company acted intentionally in spreading CopyCat, or its servers were hacked.

If MobiSummer is confirmed as the author, they wouldn't be the first Chinese ad firm behind an adware family. Previously, researchers traced back the HummingBad and YiSpecter adware families to a company named Yingmob, and the Judy adware to a company called Kiniwini.

CopyCat never reached the Play Store

Researchers said apps infected with CopyCat never made their way onto the official Google Play Store, but Google's security team intervened and quelled the campaign. CopyCat's activity reached its peak in April and May 2016, but infection numbers have gone down in the meantime.

CopyCat was not the first malware that could infect the Zygote Android core process. Other Android malware families that could do this are the Loki (adware), Xiny (banking trojan), and Triada (banking trojan) families.

In the case of CopyCat, its authors used it to replace referrer IDs on any app the user installed on his phone or to insert ads in the process of legitimate apps. If crooks wanted to perform more intrusive actions, such as steal user data, install apps without consent, or show phishing pages, CopyCat's features would have allowed them to do so. Below are images detailing CopyCat's mode of operation, and the countries where it made most victims. A CopyCat technical report is available here.

CopyCat mode of operation

CopyCat infection map

Country list

Image credits: Check Point