The researchers define CopyCat as "a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into the Zygote", which is a primary Android app launching process. After a device is infected by CopyCat, it further holds itself until the device reboots and then it tries to root the device. As an attempt to root the device, the malware uses six vulnerabilities possessed by Android 5.0 Lollipop and earlier versions through an 'upgrade' acquired through Amazon Web Service storage. Although the flaws found by researchers was capable enough for earlier Android versions, it could still be persistent in the devices that have not been patched or updated in last two years.
As we said, after it exploits the vulnerabilities of Android, the CopyCat malware starts the malicious code injection process to the Zygote app launching process and then generates illicit revenue by installing apps and further replacing the user's referrer ID with that of attackers. It additionally starts displaying fraud ads and apps. This kind of a technique was earlier used by the Triada Trojan, which targeted devices to gain superuser privileges before making use of regular Linux debugging tools to embed its DLL and infect mobile browsers.
Talking about the stats, about 26 percent of the CopyCat infected devices showed fraudulent advertisements, while a good 30 percent devices were operated to steal credit for downloading and installing the apps on the device. In addition, the study mentions that the malware also shared the device's information to CopyCat's control centres.
Google was able to subdue the impact of the CopyCat malware campaign back when the outbreak happened, gradually reducing the number of affected devices, however devices that haven't been updated could still be open to attackers. We recommend users stick to official app stores for their app downloads.
Source :- http://gadgets.ndtv.com
Image Source : http://blog.checkpoint.com
0 Comments