Friday, 14 July 2017

"CopyCat " malware effects million of android users around the world





A new malware dubbed CopyCat has affected more than 14 million Android devices around the world, rooting phones and hijacking applications to make millions in fraudulent advertisement revenue.
“CopyCat is a mobile malware targeting Android devices that uses state-of-the-art technology to conduct ad fraud. Upon infection, it roots the user’s device, allowing attackers to gain full control of the device.”
The malware has been discovered by security researchers at Check Point. The malware has abilities to root infected devices and it uses different exploits, including CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot) to infect devices running Android 5.0 (Lollipop) and earlier
“CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens,”
The malware is able to replace the Referrer ID on the applications with its own ID, so every ad that pops up on the app will send revenue to the attackers instead of the app’s authors. Every now and then, it will also throw in its own ads for an extra buck.
“CopyCat tries to find a referrer id for this package locally in shared preferences. If such an id isn’t found, CopyCat sends a request to the servern http://api.tracksummer.com/api/v1/get and uses the answer as a referrer id, which is a value used in tracking ad campaigns and attributing them to the publisher who promoted the app and will receive the money for the installation. With the fraudulent referrer id, CopyCat creates an INSTALL_REFERRER intent, and sets the extra field “flags” to value “20”, to avoid being blocked by its own injected module.”