“CopyCat” Adware Infects Zygote Android Core Process

“CopyCat” is a well-known Android adware family which has infected more than 14 million devices and routed more than 8 million in last one and half year. As per estimation, it has made around $1.5 for its developers. According to a security firm named as “CheckPoint”, it used five different exploits to root the android devices. The rooting exploits are namely CVE-2014-4321, CVE-2014-4324, CVE-2013-6282 (VROOT), CVE-2015-3636 (PingPongRoot), and CVE-2014-3153 (Towelroot). After rooting the android device, CopyCat can control the app launching operations by accessing the Android’s core OS processes. These exploits are functional for older Android version that is Android 5 or earlier and there is still a very large base for such devices.

The Copycat malware circulated through third-party app stores or via Online forums. Most of the victims are in Southeast Asia however China was avoided, may be because its developers are located in Chine and they wanted to avoid China authorities’ scrutiny. According to “Check Point”, CopyCat adware has connection with Chinese ads firms. In the past, there were researches which concluded that “Hummmingbad” and “YiSpecter” adware families has relation with a company named as “Yingmob” and similarly “Judy” adware has relation with a company named as “Kiniwini”.

According to cyber-experts, the apps that are infected with “CopyCat” never able to make their way in Google Play Store. It was the first infection that successfully infected Android Core Processes. The purpose of the this adware is to shows sponsored ads and pop-ups even while using legitimate apps. “CopyCat” also have the capability to install third party apps without consent and steal personal information of user. The image below shows the “CopyCat’s” operation mode and countries where it had infected the most.