At first glance the Copycat malware doesn’t seem like a huge threat to end users. Its primary purpose is to make money by reporting the installation of apps for which it gets paid a commission. End users will see apps installed on their Android devices that they didn’t download, and in many cases those apps will be bogus, but little else seems to happen.
But in fact, there’s a lot going on beneath the surface. Copycat, which was first discovered by researchers at Check Point Software, infects a device when the user downloads an infected app from a third-party app store or when the user falls for a phishing email. Once it’s on the device, the malware uses one of several exploits to attack the device.
The first attack is to gain root access to the Android device, which it’s able to accomplish over half the time. Once it roots the device, the malware injects code into Android’s Zygote service, which is the process that Android uses to launch apps. The Zygote attack allows the malware to download new apps silently, for which it’s paid a referral. In addition, the malware monitors user activity to get referrals for apps the user views in Google Play, for which it then also gets referral payments.
Meanwhile, the malware has installed itself to the Android system to gain persistency. Once it’s there, the user is unlikely to realize that the device has been infected and in any case the malware is difficult to remove. Unless the device is patched, the malware can stay inside the device essentially forever.
The more serious problem with Copycat is that the malware can be used to deliver payloads besides bogus ad referral requests. Because it is successful in rooting the device when it’s installed, the Copycat malware can be used to deliver some serious threats, such as ransomware, spyware or software that’s designed to infect users' network to help spread other types of malware if it can.
Perhaps worse, because the malware is already alive on something like 14 million Android devices, it’s entirely possible for it to install the software necessary to deliver a DDOS on a global basis, entirely using mobile devices. Because it is so distributed, such a mobile attack could proceed without being obvious to the originating networks, but could deliver a lethal blow to the target.
If there’s a positive development in all of this, it’s that Google has already issued patches for the Android devices that are affected. In addition, at this point Copycat only affects older versions of Android.