If you’re interested in numbers, after the infection of CopyCat, about 3.8 million devices served fraudulent ads, 4.9 million fake apps were installed, and 4.4 million devices stole credit for installing applications. It should be noted that the CopyCat malware reached its peak between April and May 2016.
The security researchers first came across the malware when it attacked the devices protected by Check Point SandBlast Mobile. By retrieving the information from malware’s Command and Control servers, they were able to get an idea of the working of CopyCat malware.
CopyCat malware was able to infect so many devices with the help of phishing scams and third-party app stores which had popular apps, repackaged with malware. Researchers didn’t find any clue of CopyCat being distributed via Google Play Store.
Talking about its abilities, CopyCat is a fully-developed malware with dangerous capabilities like rooting devices and persistency enablement. It’s also able to inject code into Zygote, which is a daemon responsible for launching apps in Android OS.
By using the state-of-the-art technology to perform various types of ad fraud, CopyCat first roots the device and allows the notorious agents to gain full control of the device. By launching the malicious code in Zygote, the hacker is able to get revenue by getting credit for illegally installing apps with his/her own ID. Hacker also uses the control over the system to display fake ads and install fraudulent apps. By using these tactics, a large amount of profit has been generated by the creators of CopyCat adware.
Earlier this year in March, Check Point informed Google about the CopyCat malware campaign and its working. As a result, the infection was curbed. However, it’s possible that your device might be still infected by CopyCat.
As more than 50% of the devices were rooted due to outdated security patches, just like any other operating system, Android users must keep their systems updated and follow standard security practices.
You can read more about the CopyCat malware in this technical report.