Copycat - Application Shielding

Application Shielding Against the Next Copycat Hack

Technology innovation isn’t just the purview of Silicon Valley. Hackers around the world work diligently to develop malware intended to stay ahead of patches and new versions of mobile device operating systems.

For instance, cyber criminals launched a sophisticated malware attack against Android OS devices that peaked between April and May 2016. Eweek reported in a July 6, 2017 article that Check Point, just unearthed the existence and most likely provenance of malware downloaded onto more than 14 million Android devices worldwide. The criminal ring that produced and spread the malware made more than US$1.5 million in the year during which the hack remained undetected.

Check Point nicknamed the malware Copycat.

‘Unfortunately, devices infected by CopyCat may still be affected by the malware even today,” according to Check Point’s blog post on the subject.

Copycat operated at the root and application level of Android devices. Once malware infiltrates the root — or control level — of a device, it can take control of the device from users and administrators.

Individuals and businesses are vulnerable to the attack approaches Copycat took: users in the financial apps they use to run their daily lives and the advertisements that appear on their screens; and businesses that give access to devices infected with the malware.

The most effective defense against future attacks by the same sort of malware in the future involves application shielding.

Application shielding products like Promon SHIELD™ presume operating systems and networks are always vulnerable to infiltration by malicious software. The cyber security technology sees the individual applications as defensible and more easily reinforced than operating systems.

A Copycat Like No Other

The first thing Copycat tries to do after it has piggy-backed an app download from a third-party Android app library is to root the device. Once malware takes control of a device, hackers can perform all manner of unsavory activities with the device. One of the most novel and lucrative activities Copycat performed was downloading other apps onto an infected device for money.

“We called it [CopyCat] because it takes credit for installations it didn’t initiate, which is the big technological innovation it presents,” Daniel Padon, mobile threat researcher at Check Point, told eWEEK.

Copycat collects revenues by claiming credit for the downloads from the companies that pay for the ads.

Copycat is able to substitute the hacker’s referrer id for ad downloads with its own by injecting a virus into the software Android uses to launch apps. Google calls the software launcher Zygote. The injection also forces Zygote to display fake ads while hiding the origin of the ads from viewers.

The malware also installs illicit apps onto devices without a user’s knowledge. The installations can do anything from display unwanted adware through trapping user credentials through enslaving the device to become part of a massive attack on targets anywhere on the internet.

Lone hackers and criminal cyber rings will continue to stay several steps ahead of mainstream OS vendors. However, individuals and businesses would do well to invest in application shielding.