Worldwide, too many of the currently active Android smartphone are equipped with a version of the operating system, which is completely outdated and therefore vulnerable to all malware. While the market share of Android 6.x is stalled at about 30% and Android 7 is not yet offered by many manufacturers, Android Lollipop, KitKat and earlier Android versions still reach a common market share of nearly 60 percent.
This attack was used by an attacker to infect 14 million smartphones with a malicious software called “CopyCat”. From CopyCat are affected Android smartphones and Android tablets with Android 5 and earlier. According to the security company Checkpoint, the malware uses a total of six known security holes, which were closed with Android 5.1.
The trick of the attackers is very simple. They offer manipulated copies of popular apps through various download portals, which can no longer be downloaded using the outdated smartphones on the regular Google Play Store. In the code of these apps are hidden the corresponding exploits, of which the user usually does not notice anything. The apps can gain root privileges and take full control of other apps on the smartphone. A total of 8 of the 14 million smartphones have already been so extensively manipulated.
The attack becomes lucrative because the hackers quickly grab the promotional IDs of the original programmers deposited in many ad-supported apps and replace them with their own advertising IDs. According to CheckPoint, the back men in the past two months have thus taken around 1.5 million dollars.
The mesh remotely reminiscent of the “Judy” malware, which is said to have infected a total of 35 million smartphones and makes the affected Android devices to participants in a giant click network. While the malware, which apparently came from Kiniwini, spread rapidly through the official Play Store, Google responded quickly with CopyCat after early indications and secured the entire official store against manipulated apps.
A server operated by CopyCat can be found in China, where CheckPoint also assumes the back men. These are true to the motto “Sh … not where you eat”, however, so smart, not to deal with the Chinese authorities and have incorporated a localization query in their malicious code. If an infected Android smartphone is in China, the tool is disabled. As a result, most of the active infected equipment could be found in India, Pakistan, Bangladesh, Indonesia, smaller countries, Canada, the Americas and Europe.
It is as unclear as it is remarkable in this case, too, why the allegedly elaborated security mechanisms of the advertising networks concerned have not been aware of the fraud. If “suddenly” several million advertising IDs of formerly successful programming generate much less revenue and other advertising IDs in return seven-digit sales reach, then in the tracking systems actually all lamps would have to tackle.