Weekly Executive Summary for Week July 14, 2017

By Joseph Lorenz on July 14, 2017

What is it? Ad-Ware | Android Malware

What has it been dubbed? CopyCat

What does it do?

Malware was able to infect 14 million Android devices and root 8 million of those infected. CopyCat was spread via phishing emails and third-party app stores which hosted malicious versions of legitimate popular applications. During this campaign there were 3.8 million devices that served fraudulent ads, 4.9 million fake apps were installed, and 4.4 million devices stole credit for installing applications from Google Play Store Credits. The adware was able to make as much as $1.5 million dollars in just two months(April – May 2016). The campaign was ended after its two month peak of revenues, and Google has since put in protections to block the malware from gaining a foothold in Android devices(even devices that are running older software versions). CopyCat mainly affected devices in Southeast Asia, with an emphasis on India, Pakistan, and Bangladesh. According to researchers at CheckPoint, the malware avoided targeting users in China. The malware was eventually traced back to a ad-tech startup based in Guangzhou, China called MobiSummer. CopyCat and Mobi summer shared code signatures, remote services, infrastructure, and operators.

How does it do it?

Copycat is modular, which allows attackers to change their strategies and the malware’s behaviour to help target more users. Some of the modules are regular Android apps written in Java, which they can use if they need external ad libraries. Other modules are implemented as native binaries, which can allow low-level functionalities and to make the malware more evasive.

Initial infection occurs once a malicious application(masquerading as popular legitimate apps) is installed. The app unpacks and downloads a binary called Rser, which runs exploits in an attempt to escalate privileges to root. This module is responsible is used for establishing persistency and copying other modules to ‘/system/bin’ directory. The Rser module is also used to copy specified files to ‘/system/app directory, which would trigger automatic installation of any copied apps attackers have attached.

The exploit module is used to escalate the current user privileges to root(rooting the device), this is done through numerous Android vulnerabilities.

cve table

List of exploits used in exploit module

Source: CheckPoint Security

The malware would inject code into Zygote, which is a daemon responsible for launching application in Android OS. CopyCat first roots the device and allows the an attacker to gain full control of the infected device. When the malicious code is launched in Zygote, the attacker is able to acquire money through getting credit for installing apps. When control is gained attackers display fake ads and install fraudulent apps.

Aser module is used to inject a shared library into Zygote, which is a daemon(process that runs in the background like a service) responsible for launching the application in Android OS. The library is injected using a utility called ptrace(process trace), which is a system call in the Linux kernel used to observe and control the execution of other processes. This module can only work if root privileges are obtained, so the exploit module would need to be successful before using this module.

The malware has another module for conducting fraudulent installations using root permissions, without needing to inject more code into the Zygote process. This module operates on a very low-level of the Android OS and takes advantage of Android’s package manager. The package manager will install apps found in ‘/data/app’ directory, so CopyCat will copy the APK (Android Application Package) files of fraudulent apps it wants to install into this directory. The malware will also check if the app has already been installed, then report back to the Command & Control server.

code

Source: CheckPoint Security

The developers of CopyCat haven’t put much effort in evading reverse engineering techniques, but they have put methods in place to avoid detection on the device. The first is evading Anti Virus software, it uses small modules that are written in c language to avoid mobile AVs(which normally only analyze java written Android apps). Another technique used is to avoid anti-fraud systems, the malware checks certain conditions to achieve this. It will check the timezone and language to avoid Chinese users, then it will check which ads are already being displayed in apps to avoid raising suspicions, and finally checks advertisement intervals.

if(!v2.contains(“zh”)) {

TimeZone v3 = TimeZone.getDefault();

if((((long)v3.getRawOffset())) == 28800000 && (v2.contains(“en”))) {

Code used to avoid Chinese users

Source: CheckPoint Security

 

Conclusion:

At its surface CopyCat might not seem as destructive as other forms of Android malware, but successfully ‘rooting’ devices leaves infected users vulnerable to other forms of malware that take advantage of this. Android runs an OS based on the Linux kernel, and ‘root’  is the equivalent to ‘administrator’ in Windows. This essentially means that the device is has full access to all parts of the system, this is not enabled by default on Android devices for obvious reasons.  

This is another great example of how dangerous it can be to download applications from third-party app stores. Not that malware hasn’t been found in the Google Play store in the past, but no infections from this particular malware were found through the official Play Store.

Sources:

https://www.checkpoint.com/downloads/resources/copycat-research-report.pdf (Check Point Secuirty)

http://fortune.com/2017/07/06/google-android-copycat-malware/ (Fortune)

https://fossbytes.com/copycat-malware-android/ (FOSSBYTES)