Google has stepped up its efforts to secure Android in recent years, but exploits are bound to happen with billions of devices out there. Security firms are reporting on a particularly successful strain of malware called CopyCat, which reportedly hit some 14 million devices last year, and successfully gained root access on about 8 million of them. The goal of this scheme was to make money from fraudulent ads and app installs, and the malware creators probably made a lot of it.
CopyCat was distributed covertly inside a number of popular apps that were repackaged and posted in third-party app stores. No instances of it have appeared in the Play Store, likely because the exploits it uses are known to Google and would have been easily detected. Most infections occurred in Asia, but there were also instances of CopyCat in other parts of the world, including the US.
Once installed on a device, CopyCat uses a suite of five previously patched vulnerabilities to attack a device. Three exploits (CVE-2014-4321, CVE-2014-4324, CVE-2013-6282) relate to the VROOT method. Meanwhile, PingPongRoot (CVE-2015-3636) (CVE-2014-3153) and Towelroot are also included. Of these exploits, PingPongRoot is the most recent. It was released to gain root access on Lollipop, and was patched in Android 5.1.1 in mid-2015.
All three of these root methods were used by enthusiasts to gain root and modify their devices. However, now they are being used by online fraudsters to gain control of phones. If CopyCat successfully roots a device, it injects code into Zygote and begins silently installing apps. Zygote is the process in Android responsible for launching apps, allowing the attackers to fraudulently get referral credits, as well as hijack ads. Security firm Check Point estimates CopyCat has earned its operators $ 1.5 million over about two months.
Google patched the holes used by this malware years ago, but there are still plenty of devices running vulnerable versions of the OS. According to Google’s platform distribution numbers, around one third of phones are running a build that could be vulnerable to at least one of these exploits. It’s up to device makers to send out security patches, and update support is usually ended after a few years. In the case of budget devices, updates might dry up after just a few months.
While the malware was not installed via the Play Store, Google has remotely killed CopyCat on many devices. However, not all phones (like those in China) have Google services installed to make that possible. That means some number of old phones out there will continue piping cash to the malware distributors until they stop working.