Android devices are in danger: CopyCat strikes worldwide

by Alice Woods - -

Adware dubbed CopyCat is extremely profitable and earned about $1.5 million in a period of only two months.[1]

copycat malware android

As CheckPoint reported, CopyCat compromised approximately 14 million Android devices and its developers have generated around $1.5 million in fake advertisement revenues in the course of a couple of months.[2]

The adware mostly targeted Android devices in Southeast Asia. In addition to that, it has already infected over 280,000 handsets in the United States.

The research at CheckPoint announced that the malware is completely developed with a range of capabilities. Once a PC if infected infected, the adware tries to root the victim’s device to receive complete control. Furthermore, the virus places code into the OS’s Zygote application running process. Then, the code enables the adware to interfere in any movement on the handset.[3]

The CopyCat applies two methods of hacking the Zygote’s operation and stealing advertisement revenue. It shows fake pop-up advertisements on a victim’s device and abducts advertisement installation credits. Moreover, CopyCat installs fake applications straight onto the handset, thus, the developers are able to generate even bigger profit.

Researchers at Check Point stated that distributors earn money for showing advertisements that influence the installation of particular applications. The adware tricks the device analytics platform Tune in order to generate the profit.

According to the researchers,

“CopyCat retrieves the package name of the app that the user is viewing on Google Play, and sends it to its Command and Control server. The server sends back a referrer ID suited for the package name. This referrer ID belongs to the creators of the malware, and will later be used to make sure the revenue for the installation is credited to them.”

CopyCat Scheme

These basic methods enable the attackers to earn a great amount of money due to the number of devices compromised by this malware.

The adware rooted approximately 8 million devices from about 14 million that were infected. The malware was distributed via third-party app stores between April and May 2016.[4]

There is no evidence that the malware was available on Google Play.

CopyCat was detected after it compromised one business client who informed Google about the hack.

Check Point mobile research team, who also discovered the adware, wrote: “According to Google, they were able to quell the campaign, and the current number of infected devices is far lower than it was at the time of the campaign's peak. Unfortunately, devices infected by CopyCat may still be affected by the malware even today”.


About the author

Alice Woods
Alice Woods - Antivirus software analyst

Alice Woods is an anti-malware analyst at She is passionate about testing new pieces of software and discovering pros and cons of each program.

Contact Alice Woods
About the company Esolutions


now online
Like us on Facebook