Q
Manage Learn to apply best practices and optimize your operations.

CopyCat malware: How does this Android threat operate?

Check Point researchers discovered new Android malware named CopyCat, which has infected 14 million devices. Learn how this malware works and how it spread from expert Nick Lewis.

Check Point researchers found a new type of Android malware called CopyCat that has infected more than 14 million...

devices and has the ability to root phones. How does CopyCat malware work?

Malware developers are like most other software developers in the sense that it takes a long time to learn a new skill and to adapt their existing skills to new systems.

Mobile malware has been making the same advancements that Mac malware and PC malware have made, and distinguishing adware from malware is becoming increasingly difficult because users might intentionally install adware to try to get commercial software for free. Also, adware may use the same techniques as malware by implementing its functionality to display ads.

Check Point researchers reported a new type of Android malware called CopyCat, but they didn't report how they initially found it. Check Point also didn't report how the malware got installed on the endpoints -- this action would most likely require access to the infected endpoints.

Because CopyCat malware has mostly affected users in Southeast Asia, other security vendors suspect third-party app stores are the primary vector. The goal of CopyCat appears to be to display advertisements on mobile devices in order to generate revenue for the authors.

While at first CopyCat appears to be adware, Check Point investigated it in-depth to document the current state of Android malware and found that it has several core malware functions, such as local privilege escalation, persistence, hiding its existence, auto-run to ensure the malware is running, displaying ads, and a command-and-control (C&C) server. CopyCat malware features separate modules that are either hidden within an Android Package Kit or that are downloaded from a C&C server once the initial device infection is complete.

Furthermore, the modules in CopyCat are written in different languages depending on the functionality needed in the module. CopyCat malware is difficult to hide at the network layer, and Check Point researchers used that to their advantage to analyze the C&C connection as part of its investigation.

When applications run on a mobile device, the legitimate ad modules are directed to use the CopyCat malware modules to display the ads the CopyCat authors determine to generate ad revenue for them.

Because CopyCat is modular and written in C#, it is difficult for mobile antimalware programs to detect it, according to the Check Point researchers. Users should avoid using third-party mobile app stores or downloading apps from suspicious sources.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in January 2018

Dig Deeper on Mobile security threats and prevention

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you think this discovery by Check Point researchers will impact future mobile malware security?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close