igor - Fotolia

CopyCat malware: How does this Android threat operate?

Check Point researchers discovered new Android malware named CopyCat, which has infected 14 million devices. Learn how this malware works and how it spread from expert Nick Lewis.

Check Point researchers found a new type of Android malware called CopyCat that has infected more than 14 million devices and has the ability to root phones. How does CopyCat malware work?

Malware developers are like most other software developers in the sense that it takes a long time to learn a new skill and to adapt their existing skills to new systems.

Mobile malware has been making the same advancements that Mac malware and PC malware have made, and distinguishing adware from malware is becoming increasingly difficult because users might intentionally install adware to try to get commercial software for free. Also, adware may use the same techniques as malware by implementing its functionality to display ads.

Check Point researchers reported a new type of Android malware called CopyCat, but they didn't report how they initially found it. Check Point also didn't report how the malware got installed on the endpoints -- this action would most likely require access to the infected endpoints.

Because CopyCat malware has mostly affected users in Southeast Asia, other security vendors suspect third-party app stores are the primary vector. The goal of CopyCat appears to be to display advertisements on mobile devices in order to generate revenue for the authors.

While at first CopyCat appears to be adware, Check Point investigated it in-depth to document the current state of Android malware and found that it has several core malware functions, such as local privilege escalation, persistence, hiding its existence, auto-run to ensure the malware is running, displaying ads, and a command-and-control (C&C) server. CopyCat malware features separate modules that are either hidden within an Android Package Kit or that are downloaded from a C&C server once the initial device infection is complete.

Furthermore, the modules in CopyCat are written in different languages depending on the functionality needed in the module. CopyCat malware is difficult to hide at the network layer, and Check Point researchers used that to their advantage to analyze the C&C connection as part of its investigation.

When applications run on a mobile device, the legitimate ad modules are directed to use the CopyCat malware modules to display the ads the CopyCat authors determine to generate ad revenue for them.

Because CopyCat is modular and written in C#, it is difficult for mobile antimalware programs to detect it, according to the Check Point researchers. Users should avoid using third-party mobile app stores or downloading apps from suspicious sources.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities