Mobile malware dubbed CopyCat infected 14 million Android devices, earning the hackers behind it approximately $1.5 million in fake ad revenues in two months, according to security company Check Point.

Fraudulent ads were displayed on 3.8 million of the infected devices, while 4.4 million were used to steal credit for installing apps on Google Play.

CopyCat mainly affected users in Southeast Asia, but also spread to more than 280,000 Android users in the US.

The adware is a fully developed malware capable of controlling any activity on a device through its “vast capabilities”, including rooting devices (unlocking the operating system so unapproved content can be installed, which CopyCat did to some 8 million devices) and injecting code into Zygote (an app launching programme in the Android operating system).

Check Point said the campaign reached its peak between April and May 2016 and probably spread via popular apps repackaged with the malware and downloaded from third party app stores, as well as phishing scams. However, there was no evidence it was distributed on Google Play.

In March 2017, Check Point informed Google about the campaign and Google said it was able to quell it, but infected devices may still be affected even today.

How it works
CopyCat uses state-of-the-art technology to conduct various forms of ad fraud, similar to previous malware discovered by Check Point, including Gooligan, DressCode, and Skinner.

It first roots the device, allowing the attackers to gain full control, and “essentially leaving the user defenceless”, then injects code into the Zygote app launching process so attackers can get credit for fraudulently installing apps by substituting the real referrer’s ID with their own.

What’s more, CopyCat abuses the Zygote process to display fraudulent ads while hiding their origin, making it difficult for users to understand what’s causing the ads to pop-up on their screens.

Check Point warned such adware creates risk for both private users and businesses. Attackers need nothing more than a compromised device connected to the corporate network to breach the network and gain access to sensitive data.

The company recommended users treat their devices like any other part of their network, and protect them with the best cybersecurity solutions available.

“Cutting-edge malware such as CopyCat requires advanced protections, capable of identifying and blocking zero-day malware by using both static and dynamic app analysis.”