Check Point researchers found a new type of Android malware called CopyCat that has infected more than 14 million...
devices and has the ability to root phones. How does CopyCat malware work?
Malware developers are like most other software developers in the sense that it takes a long time to learn a new skill and to adapt their existing skills to new systems.
Mobile malware has been making the same advancements that Mac malware and PC malware have made, and distinguishing adware from malware is becoming increasingly difficult because users might intentionally install adware to try to get commercial software for free. Also, adware may use the same techniques as malware by implementing its functionality to display ads.
Check Point researchers reported a new type of Android malware called CopyCat, but they didn't report how they initially found it. Check Point also didn't report how the malware got installed on the endpoints -- this action would most likely require access to the infected endpoints.
Because CopyCat malware has mostly affected users in Southeast Asia, other security vendors suspect third-party app stores are the primary vector. The goal of CopyCat appears to be to display advertisements on mobile devices in order to generate revenue for the authors.
While at first CopyCat appears to be adware, Check Point investigated it in-depth to document the current state of Android malware and found that it has several core malware functions, such as local privilege escalation, persistence, hiding its existence, auto-run to ensure the malware is running, displaying ads, and a command-and-control (C&C) server. CopyCat malware features separate modules that are either hidden within an Android Package Kit or that are downloaded from a C&C server once the initial device infection is complete.
Furthermore, the modules in CopyCat are written in different languages depending on the functionality needed in the module. CopyCat malware is difficult to hide at the network layer, and Check Point researchers used that to their advantage to analyze the C&C connection as part of its investigation.
When applications run on a mobile device, the legitimate ad modules are directed to use the CopyCat malware modules to display the ads the CopyCat authors determine to generate ad revenue for them.
Because CopyCat is modular and written in C#, it is difficult for mobile antimalware programs to detect it, according to the Check Point researchers. Users should avoid using third-party mobile app stores or downloading apps from suspicious sources.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.