This is one nasty feline. Joining a spate of recent malware attacks like Petya and WannaCry, CopyCat is the latest broad-based cybersecurity threat. Once again, we’ve prevailed with a solution and the threat will be quelled. But at what cost? And what can be done the next time around? If history is teaching us anything, it’s that cybercriminals are extraordinarily crafty and nimble.

Beware mobile adware

All malware is not created equal. CopyCat took a different approach than other recent high-profile assaults, attacking the mobile advertising channel by creating fake ads and stealing the revenues. It’s disguised as a popular app that, once downloaded, collects data from devices and disables its security system by rooting the phone and taking control of its app launcher, known as Zygote.

As a result, the malware diverts ad revenue to hackers each time an ad pops up on the app, instead of reaching the developers of the genuine app. It does this by replacing the genuine app’s ID with its own referrer ID. It can also make its own ads pop up, while hiding their origin, making it difficult for users to identify why they are being persistently interrupted by pop ups.

Assessing the damage

It has been reported that CopyCat has infected more than 14 million Android devices worldwide, particularly in Asia and Africa, although more than 280,000 devices in the United States have been compromised as well.

Along the way, nearly 4.9 million fake apps were installed on infected devices, which displayed up to 100 million ads. During April and May of 2016 alone, it’s estimated that the CopyCat cybercriminals earned $1.5 million. Pretty staggering statistics, though it could have been far worse. While some suspect the culprits hail from China, as no devices there have been reported to be infected, it’s impossible to know – at least at this point. 

Users and developers lose

With CopyCat, the primary victims are the companies who unknowingly pay the cybercriminals instead of legitimate app developers for bogus ads. This abuse of the system hits at the core of the mobile advertising infrastructure with potentially far-reaching implications. In addition to lost revenue opportunities, app developers risk more consumer scrutiny and distrust.

It can be particularly unnerving for end-users. Any app that can be installed by the malware onto a mobile device also has the potential to locate and steal sensitive personal data, like banking or credit card information. Already a tremendous concern for consumers, this only adds to a collective sense of unease.

But perhaps equally harmful, CopyCat malware can seriously degrade the quality of experience (QoE) so essential to today’s users. As we all know, consumers expect the highest QoE and when quality slips, providers risk churn. Safeguarding and improving QoE are essential considerations for service providers to maintain and grow their businesses.

A sophisticated security approach 

CopyCat exploits vulnerabilities in Android versions 5 and earlier, so those running older operating systems are most vulnerable. The first line of defense is regular updating, but users must be educated to the importance of regularly updating their devices.

Once victimized, the most straightforward fix for this invasive malware is to patch devices with the most recent updates. Unfortunately, it takes time for updates to be developed and to proliferate, and there’s no guarantee that every user will adopt this behavior in a timely fashion.

A far more effective alternative starts with a professional network-based security solution that deploys advanced anti-virus and anti-phishing software to protect both networks and customers against malware of all sorts. This action done by network providers, combined with a comprehensive and unified security solution for customers, provides critical security as a service at both the network level and at the end-point. A one-two punch that provides the kind of proactive protection required to stave off increasingly sophisticated mobile malware.

Moreover, these solutions must be seamless to implement, easy to activate, and nimble enough to defend networks and end-points against wide-ranging and continually mutating threats. And they must do so without jeopardizing network and end-point performance.

CopyCat is only the latest threat to mobile security. There are always new techniques and therefore new challenges. The next high-profile attack will likely break new ground, too. The diversity illustrates the need for service providers to stay out in front of those who seek to illegally profit and harm. Smart defense requires vigilance on numerous fronts and in different ways to protect both networks and users. Beating threats requires thinking like they do, rooting out the vulnerabilities, and using the smartest tactics and forward-looking technologies available.


Moshe Elias is Director of Product Marketing at Allot Communications, a provider of security and monetization solutions that enable service providers to protect and personalize the digital experience. Elias currently focuses on marketing security solutions for consumers and businesses to protect against cyber threats. Prior to his current role, he held management positions at Cisco Systems and Checkpoint in engineering, business development, and sales.