CopyCat malware infects 14 million Google Android devices
[]
A malicious software campaign called CopyCat infected 14 million devices running Google's Android operating system, earning the hackers behind the campaign approximately 1.5 million US dollars in fake ad revenues in two months, researchers from Check Point Software Technologies said on Thursday.
While most of the users affected were in Southeast Asia, CopyCat reached more than 280,000 Android users in the United States. 
CopyCat is a fully developed malware with multiple capabilities. /VCG Photo

CopyCat is a fully developed malware with multiple capabilities. /VCG Photo

According to Check Point, CopyCat is a fully developed malware with multiple capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a demon responsible for launching apps in the Android operating system – that allows malware to take control of the device.
Once it has control of the Zygote, it can detect every app a user uses or downloads. 
What does CopyCat do?
How CopyCat earns millions. /Check Point Photo

How CopyCat earns millions. /Check Point Photo

Most advanced technology is used by CopyCat to conduct different forms of ad fraud. If infected, the malware will first root the user’s device, gaining full control. 
CopyCat then injects code into the Zygote app launching process so that attackers can receive revenue by getting credit for fraudulently installing apps by substituting the real referrer’s ID with their own.
In addition, CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it hard for users to understand what’s causing the ads to show up on their screens.
The malware also installs fraudulent apps directly to the device, using a separate module. These activities generate large amounts of profits for the creators of CopyCat, given the large number of devices infected by the malware.
What can Google do to fight back?
VCG Photo

VCG Photo

The peak of the CopyCat campaign was between April and May 2016. The campaign spread via popular apps, repackaged with the malware and downloaded from third party app stores, as well as phishing scams, according to researchers. 
There was no evidence that CopyCat was distributed on Google Play, Google’s official app store.
Google said that they were able to eliminate the malware, and the current number of infected devices was far lower than it was at the attack's peak. 
Unfortunately, devices infected by CopyCat may still be affected by the malware even today, Check Point said in a statement. 
(With input from Check Point)