Best estimates are that some 14 million devices have been infected over the last two months, with 8 million of those having been rooted. Those same estimates indicate that the software has generated more than $1.5 million in revenue from fake ads over that time period.
Although it’s not at all clear who owns and controls the software, there’s strong circumstantial evidence that it’s’ being spread primarily via the Chinese advertising company, MobiSummer, because:
• CopyCat and MobiSummer operate on the same server
• CopyCat and MobiSummer use the same remote services
• CopyCat has so far avoided targeting Chinese consumers, even though more than half the victims reside in Asia
• CopyCat uses several lines of code that have been signed by MobiSummer
According to the researchers, “It is important to note that while these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge.”
There’s no evidence that the app has a presence on the Google Play store, so its spread has been a consequence of downloads from third-party app stores.
Google has been notified and has already updated Play Protect to block the malware, but the rate of infection shows no signs of stopping, and it might be a while before this one burns itself out.
It should also be noted that while most of the infections are in Asia, there are some 381,000 infected devices in Canada, and another 280,000 in the US, so tread carefully, especially if you’re using an older, unpatched Android device.