back to article Fast-spreading CopyCat Android malware nicks pennies via pop-up ads

A powerful and fast-spreading Android malware strain dubbed CopyCat has infected 14 million Android devices. CopyCat is primarily designed to generate and steal ad revenues. It does this by rooting compromised devices and establishing persistence. Injecting code into Zygote – a daemon responsible for launching apps in the …

  1. Sir Runcible Spoon Silver badge
    Paris Hilton

    I feel retarded

    Can someone explain how these scumbags actually receive $money$ for this - surely that leaves some kind of trail that can be followed. After all, if you want your Ad rewards paid in Bitcoins it's going to look a mite suspicious. Who pays and how?

  2. Thoguht Silver badge

    Re: I feel retarded

    I'd be more interested in someone explaining how in this day and age it's still possible to trivially root an OS based on oh-so-secure Linux.

    Nice pic, though - is that from Fate/Zero Day?

  3. Steve Davies 3 Silver badge

    Re: I feel retarded

    Perhaps you should ask Google that question. After all, they are responsible for the software especially any mods made to the Kernel that may (or may not have) contributed to this and other vunerabilities.

  4. Charlie Clark Silver badge

    Re: I feel retarded

    I'd be more interested in someone explaining how in this day and age it's still possible to trivially root an OS based on oh-so-secure Linux.

    Easy: just ask the user to do it. Some way to escalate permissions is always required to install software. But sideloading is disabled by default on Android and users are warned every time of the risks when they change the setting.

    Elsewhere, in OS theory land, it turns out to be pretty to difficult to completely secure an OS when direct access to the hardware is required and systems like "trusted computing" have their own problems, like preventing users from using devices as they would like. But unix was never developed as a secure OS as anyone who's entered single user mode would attest to.

  5. fidodogbreath Silver badge

    Re: I feel retarded

    Perhaps you should ask Google that question. After all, they are responsible for the software especially any mods made to the Kernel that may (or may not have) contributed to this and other vunerabilities.

    Android versions prior to Nougat also run older versions of the Linux kernel.

  6. DougS Silver badge

    Re: I feel retarded

    How is anyone supposed to tell the legitimate vs illegitimate payments made to a bank account in China that receives both? When someone finds out about it they probably shut down payments to that account, along with barring the referrer ID these guys were using. No problem, they have other bank accounts and other referrer IDs, which future exploits will use (probably already are using) so trying to stop them is like playing whack a mole.

    If we can't stop terrorist funding despite essentially unlimited budgets being thrown at the problem of terrorism, how do you expect to stop small time criminals like these from getting paid?

  7. Roland6 Silver badge

    Re: I feel retarded

    Re: "I'd be more interested in someone explaining how in this day and age it's still possible to trivially root an OS"

    Whilst I agree with the sentiment - namely Android is nearly 10 years old, we shouldn't forget about the lessons of Windows...

    What struck me was the statement: "The mobile malware successfully rooted over 54 per cent of the devices it infected", which would seem to imply that the received wisdom of 'locking' phones (ie. denying end user root access) is not a particularly effective security measure.

  8. Anonymous Coward
    Anonymous Coward

    Re: I feel retarded

    " But unix was never developed as a secure OS as anyone who's entered single user mode would attest to."

    Quite. One security advantage of Windows is that you can get full constrained delegation of rights. In *Nix world a lot of stuff has to be done as root. In Windows you can easily delegate just the rights needed for specific admin tasks without using an admin / system level account. This is especially handy with say scripts (via JEA) - see: https://msdn.microsoft.com/en-us/library/dn896648.aspx

  9. DougS Silver badge

    Re: I feel retarded

    Linux and other Unixes have had extensions for many many to provide fine grained admin access, e.g. to provide the ability to change network adapter settings without being able to perform other "root" level actions. From the earliest days of Unix, setuid provided a way (albeit with its own problems) to execute tasks requiring administrative privileges without using an admin/system level account.

    Despite your false claim that Windows has an advantage in this regard, it hasn't proven to be very secure, which shows how little privilege separation and delegation matters. It mostly eliminates one type of attack, but there are so many other methodologies available to malware authors it hasn't been nearly as effective as security researchers claimed it would be back in the 90s when Windows and Unix first acquired these capabilities but they weren't widely used.

    Most privilege escalation attacks rely on attacking a process or subsystem that already has elevated privileges as part of its design/requirement.

  10. mark l 2 Silver badge

    Re: I feel retarded

    My guess is that the scumbags get they money by getting innocent people to unwittingly accept money to their bank accounts. China has a lot of people who live on a few dollars per day so if you offer them to open bank accounts with the promise that they can keep even just 1% of the money deposited in there you will probably get a lot of people willing to sign up.

    Heck this even happens over in the west. If you look on some of the classified ads websites that are not moderated you will see people advertising 'jobs' to "sell items on ebay and get paid £50 per item" Anyone who takes these offers up is likely to get a knock on the door from the police in a month or two down the line when all the customers who bought stuff complain they didn't receive their items and ebay have frozen the accounts.

  11. Ken Hagan Gold badge

    Re: I feel retarded

    "Android versions prior to Nougat also run older versions of the Linux kernel."

    It's worse than that. If you (*) upgrade an older version to Nougat, you are probably still running the older kernel. In fact, you are probably stuck with whatever kernel version was current when the original device manufacturer first released the device.

    (* Yes, I mean you, with something like CyanogenLineage. Obviously the OEM has other options. However, I don't know if they actually take advantage of them. Anyone out there with a phone running the vendor's stock image that has been upgraded? Was the kernel upgraded at the same time?)

  12. Aynon Yuser

    Re: I feel retarded

    They work fast and anonymously. They steal a legit person/companies identity and open accounts, collect the money and then run without a trace pointing the finger at an unknowing innocent person when the scheme gets caught.

    They just repeat this over and over again.

  13. TheVogon Silver badge

    Re: I feel retarded

    "Linux and other Unixes have had extensions"

    That's part of the problem - fine grained security control is an after-thought - not built into everything from the ground up like in Windows.

    "From the earliest days of Unix, setuid provided a way (albeit with its own problems) to execute tasks requiring administrative privileges without using an admin/system level account."

    Not the same thing at all. For instance how would you control rights to different functions within the same executable?

    "Despite your false claim that Windows has an advantage in this regard"

    But it is massively superior in this regard - see the above.

  14. Anonymous Coward
    Anonymous Coward

    Re: I feel retarded

    "Can someone explain how these scumbags actually receive $money$ for this - surely that leaves some kind of trail that can be followed"

    See https://darknetmarkets.org/a-simple-guide-to-safely-and-effectively-mixing-bitcoins/

  15. Alan Brown Silver badge

    Re: I feel retarded

    "Despite your false claim that Windows has an advantage in this regard, it hasn't proven to be very secure, which shows how little privilege separation and delegation matters. "

    More accurately, Windows NT inherited the multifaceted finegrained controls from the VMS OS it was based on, and promptly threw them out. Getting them reinstated has taken a very long time because many software authors refuse to play nice on secured systems, including many big-name providers of expensive packages who really should know better.

  16. Mike 125

    'Due to sh'te software, other software does bad stuff'

    Also, 'ESTABLISHES PERSISTENCY'.

    Is persistency the same as persistence? How about 'CREATES SELF-NON-VOLATILITENCY'?

  17. Anonymous Coward
    Anonymous Coward

    So it spreads from untrusted sources, namely 3rd party stores and dummies who hit click me download.

    You can't secure against stupidity.

  18. Alan Brown Silver badge

    "So it spreads from untrusted sources, namely 3rd party stores and dummies who hit click me download and don't have an on-download scanner like sophos."

    FTFY. But then again, these crooks don't WANT smarter people to install this stuff. It's much easier to rip off dipshits.

  19. Anonymous Coward
    Anonymous Coward

    Google itself is the reason for sideloading

    The reason why sideloading (installing from sources other than Playstore) is so popular, is Google itself, because it refuses to host a number of popular apps.

    And even for Apps that are distributed by Google Play, Google conspires with App developers to selectively discriminate against certain devices. Just last week I heard about a particular new app, and was able to install it on my Samsung SmartPhone through Google Play. Then I tried to do the same on Samsung Tablet -- but Google Play refuses to even admit that this App exists when running Google Play Store on my tablet. So I copied the APK from my phone onto my tablet and installed it locally. Works just fine on the Tab, exactly as it works on the Phone. So there is deliberate malfesance on the part of Goolge involved that forces end users to do side loading and get their desired Apps.

  20. fishman

    Re: Google itself is the reason for sideloading

    The only App store I use other than Google Play is Amazon's. And that's only for the Amazon Prime Video app that isn't on Google Play. I always leave sideloading off unless I'm installing or updating that app.

    I wonder how many people sideload an app, and then not reset the device to no sideloading?

  21. matchbx
    FAIL

    Re: Google itself is the reason for sideloading

    The google play store is the worst. It's utterly impossible to find anything. Can't sort by anything, not price, not name, not rating, not downloads. Can't filter by anything, not by price range, not rating.....

    can't search by permissions or lack there of....

    I FRICKING HATE THE GOOGLE PLAY STORE.....WORST APP STORE EVER....

  22. Anonymous Coward
    Anonymous Coward

    Re: Google itself is the reason for sideloading

    Have you seen how bad a store can be? Be careful what you wish for. Windows store is abysmal now as it was 5 years ago...

  23. fidodogbreath Silver badge

    Re: Google itself is the reason for sideloading

    So there is deliberate malfesance on the part of Goolge involved that forces end users to do side loading and get their desired Apps.

    I believe it's the app developer -- not Google -- who specifies the Android version and device compatibility for an app.

  24. Charlie Clark Silver badge

    Re: Google itself is the reason for sideloading

    Google conspires with App developers to selectively discriminate against certain devices.

    It doesn't you know. App developers (and copyright owners) get to choose. In addition there may be API / hardware restrictions. Google is happy enough collecting payment data, and selling ads.

    However, it would be nice to be able to legitimise alternative stores. Wonder if the EU investigation of Android will lead to such a recommendation.

  25. Alan Brown Silver badge

    Re: Google itself is the reason for sideloading

    "I wonder how many people sideload an app, and then not reset the device to no sideloading?"

    Marshmallow allows sideloading to be enabled on a per-apk basis (ie, "allow installation of this file only")

    If you don't have some kind of scanner checking files (even off the google store) before installation then you're taking a risk. Malware has pigyybacked on all app stores at times, even on Slurp Play.

  26. John Smith 19 Gold badge
    WTF?

    2017 and people copying games and planting malware inside hacked versions.

    Sad, sad, sad as f**k.

  27. Anonymous Coward
    Anonymous Coward

    Re: 2017 and people copying games and planting malware inside hacked versions.

    The key here is that there is POTENTIAL for this to happen, which is very different to ACTUALLY happening,

    I have still to meet a single Android owner that has ever had any virus or malware issue with their device. Weird given the amount of coverage.

  28. MD Rackham

    Re: 2017 and people copying games and planting malware inside hacked versions.

    "We have never had an undetected error."

  29. Walter Bishop Silver badge
    Facepalm

    Rooting an already compromised device

    "CopyCat is primarily designed to generate and steal ad revenues. It does this by rooting compromised devices and establishing persistence."

    Technically speaking an already compromised device doesn't need rooting.

  30. mzilikazi

    Ads? What ads?

  31. Danny 14 Silver badge

    Ironically, if the device ia rooted then wouldnt you he able to block the qds at network level?

  32. Anonymous Coward
    Anonymous Coward

    Bzzt, try again

    The devil is in detail (as always), numbers are hypothetical, extrapolated from the following caveats.

    Only unpatched android 4.4 and earlier.

    Only devices setup to sideload apps from outside google play

    Only devices with Google Play Protect disabled (which despite the name, monitors content from anywhere).

    The term "fast spreading" is also deceiving, there is no auto replicating of this. A fail all round essentially.

  33. TVU Silver badge

    Re: Bzzt, try again

    "Only devices setup to sideload apps from outside google play

    Only devices with Google Play Protect disabled (which despite the name, monitors content from anywhere)."

    In other words, if you play safely, there's a much reduced risk of malware infection. It's the same old PEBKAS phenomenon again - person between keyboard and seat.

  34. Anonymous Coward
    Anonymous Coward

    Re: Bzzt, try again

    "In other words, if you play safely, there's a much reduced risk of malware infection.!

    No, the opposite. IF you go out of your way to deliberately find a vulnerable, IF you deliberately disable all the protection mechanisms, IF you then deliberately download an infected file, and then IF you deliberately install it. You will get infected.

    However back in the real world, this is of course total BS, that's a huge number of IFs...

  35. Cuddles Silver badge

    "Powerful and fast-spreading"

    "User installs malware from dodgy app store / spam email"

    I'm not sure it counts as particularly powerful or fast-spreading if it relies on asking users nicely to install it. The spread of such malware says an awful lot about the general competence of users, but really very little about the malware itself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018