CopyCat Malware Made $1.5M by Infecting 14M Android Devices

CopyCat, apparently a variant of a much larger family of malware, infected around 14 million Android devices with adware and rooted 8 million of them, making it impossible to remove the malware.

Adware generates revenue for the attackers

According to CheckPoint, the malware generated a revenue of $1.5 million through installing fake ads and apps. Also, the virus has been in the wild since last year.

The majority of the devices infected were found to be in Southeast Asia, followed by the U.S where 280,000 devices were infected.

Essentially, Asia accounted for 55% of the devices infected while Americas accounted for 12% of the total. The rest comprises of Africa (18%), Oceania (8%) and Europe (7%).

How does it work?

The malware is installed in apps that can be downloaded from third-party app stores. Once downloaded, the malware activates only after the infected device is restarted.

When a device is restarted, CopyCat starts to root the device in order to gain admin privileges. It does so through a group of exploits downloaded from the Amazon S3 bucket.

After the device has been rooted, the malware starts to install a component in the system’s directory which makes it impossible for the malware to be removed.

Finally, the malware reaches for Zygote, which is Android’s core process for downloading and installing apps. Once Zygote is infected, CopyCat gets admin rights and subsequently installs fake apps on the infected device.

The attacker gets revenue for replacing a genuine app’s referrer’s ID with a fake one. Moreover, the admin rights allow the attacker to generate revenue through having the malware post fake ads and install fraudulent apps.

CopyCat’s command-and-control (C&C) server

Researchers at Checkpoint also investigated the malware’s C&C server to get more insight as to how the malware works. Upon investigation, it was revealed that the data found on the server dates back to 2016 and earlier.

In fact, around 3.8 million devices were infected last year between the months of April and May while 4.4 million devices were infiltrated to install fake apps on Google Play and thereby generate revenue for the attacker.

Also, the researchers stated the malware exploited vulnerabilities which were quite common, some of which have been in digital space since 203. Also, the reason they were able to access users’ devices was probably that users did not upgrade their systems.

Who is responsible for the attack?

There is no evidence leading to any particular culprit but experts believe that an ad network based in China might be behind the scene.

Google’s response

When asked, Google said that it was aware of the malware and believed it was a variant of a larger malware family. It stated that an update is released to patch the vulnerable devices whenever a related malware is discovered.

However, a researcher from Check Point stated that the malware demonstrated some very different techniques which show that CopyCat does not belong to any malware family.

Nevertheless, it does have similarities with other malware types, particularly HummingBad and Gooligan. The former broke into 1 million Google accounts last year while the latter, like CopyCat, was part of an ad fraud campaign.


Google referred to PlayProtect, which is the company’s malware detecting software. PlayProtect scans all the apps installed on a user’s phone and checks if an infection is present.

Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts