Kudos to Check Point researchers, who published a blog July 6, 2017 describing Android malware they dubbed CopyCat. The CopyCat malware was primarily active in the April-May, 2016, time frame; Check Point informed Google of the malware in March, 2017. Google says it was able to quell the spread of CopyCat, however, devices infected by CopyCat could remain infected indefinitely–so quelling the spread doesn’t remove the malware, it only prevents more widespread infections.
CopyCat has so far infected 14 million devices — 8 million of which it rooted, and on about 5 million of which it installed fraudulent apps. CopyCat used a “trojan” tactic to infect devices by delivering its malicious code via repackaged versions of popular and otherwise legitimate apps. This trojan approach is generally only possible on third-party app stores, which employ less rigorous app vetting than Google Play (or the Apple App Store). We can’t emphasize enough how important it is for enterprises to ensure that their employees only download apps from official stores, namely the Google Play and Apple App Store.
CopyCat’s primary goal seems to be ad fraud, where the CopyCat developer gets a return for being the reference when a specified app is installed.
Because CopyCat can root a device, it can perform any malicious activity and control any actions on the device. Furthermore CopyCat can permanently store itself on the device, meaning that it persists over restarts. CopyCat’s primary goal seems to be ad fraud, where the CopyCat developer gets a return for being the reference when a specified app is installed. CopyCat therefore surreptitiously launches apps, substituting in the malware author’s referrer ID for financial gain (which totalled about $1.5 million). CopyCat got its name because it copies the ad fraud techniques of previous malware such as Gooligan, DressCode, and Skinner.
Before describing some additional findings from Appthority researchers, it’s worth pointing out to Appthority’s enterprise customers that they are already protected from CopyCat. This is important because, as Check Point notes, “Adware that steals credentials to sensitive information, or roots devices and leaves them vulnerable to any type of attack, are exactly what an attacker looking to infiltrate a corporate network seeks”. In other words, enterprises with employee devices infected by CopyCat run the risk of having their corporate assets accessed. We recommend that enterprises scan for and remediate this type of malicious malware immediately, whether the malware resides on corporate owned devices or BYOD.
In our research on CopyCat, the Appthority Mobile Threat Team uncovered some advances in evasion techniques adopted by CopyCat that could circumvent detection by enterprise security and dynamic analysis systems.
In our research on CopyCat, the Appthority Mobile Threat Team uncovered some advances in evasion techniques adopted by CopyCat that could circumvent detection by enterprise security and dynamic analysis systems. Better evasion capabilities are a security concern because, by evading Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), the malware can more easily enter an enterprise network undetected and engage in the malicious activities noted above. Below we detail the significant detection evasion tactics used in the malware that Appthority researchers discovered and that were not previously publicly revealed.
Clues in the Data: Amazon AWS Credentials
Analyzing one of the APKs listed by Check Point, we can see that the malware author has their Amazon AWS S3 credentials stored in clear text, a common developer mistake. As noted by Check Point, the malware family isn’t very obfuscated; the malware authors didn’t take common steps to disguise what’s in their code. Utilizing production-ready services, such as those provided by Amazon, provided the CopyCat developers with a robust architecture, secure communications, faster development time, and the ability to look like legitimate traffic that will not typically be blocked in an enterprise environment. See the code snippet below (with the credentials obfuscated):
Searching for the account key, which was exposed in the APK within the network traffic, allowed us to easily locate the specific streams relevant to downloading the modular pieces from Amazon AWS. We performed this search using Appthority’s dynamic analysis engines, which, among other things, inspects all traffic between an application and the server it’s communicating with (this is done in software, prior to when it’s encrypted). Visibility into SSL traffic removes a common analysis problem that occurs when malicious actors use robust services such as AWS with HTTPS.
As the malware authors have used their AWS credentials in the app, Appthority has reached out to AWS to help mitigate this malware family. We suspect that the malware authors have either used their own payment method, compromised payment methods, or have compromised an account. With this data, Amazon may be able to take further action against the authors based on data in access logs, as well as yet undiscovered data by Check Point and Appthority.
Why would Appthority researchers investigate the AWS use and disclose our findings to AWS? Remember above, when we said that by quelling the CopyCat campaign Google was able to halt new infections, but existing ones remained on the device? Well, AWS now knows of malicious activity coming from a specific account. Assuming AWS terminates those accounts, then CopyCat’s current threat level can be minimized if not eliminated.
Evading IDS/IPS Inspection with Malformatted ZIP Files
In the network stream between the application and AWS we can see eight files that are downloaded to the device, listed below:
The upd_00 file download (one of the files above) shows the following:
Note the PK at the beginning of the network stream above is the indicator that this is a ZIP file. We can also see the text containing BatterySaver.apk, an indicator of what is in the ZIP file.
The same data as seen from the command line:
This incomplete ZIP file is part of the innovative way CopyCat was able to evade detection.
If an IDS/IPS attempted to unzip this file, there would be a failure as it is actually an incomplete ZIP file. This is the technique used by the CopyCat malware to specifically evade enterprise network security systems, such as proxies or IDS/IPS systems, which have the ability to extract ZIP files from a network stream and submit them for analysis to their own systems, or to external systems such as VirusTotal. This incomplete ZIP file is part of the innovative way CopyCat was able to evade detection.
CopyCat enhanced the evasion capability by splitting the ZIP file into several files. To solve this we concatenate the upd_* files together to get a complete ZIP file. Unzipping this file reveals four files, three of which are referenced by Check Point in name.
The logic flow of the split ZIP files is shown in the diagram below:
New Wrinkles in Malware Evasion
CopyCat is malware that experienced financial success and was able to avoid detection for about a year. While the malicious functions it performed were all too common, the innovations in evasion due to AWS delivery, and segmentation of the APK represent the next level of escalation in the mobile malware arms race. We shouldn’t be surprised, but we should be concerned about the increasing level of sophistication represented by such capabilities in malware’s ability to remain hidden while it performs its malicious actions.
Appthority customers are already protected from CopyCat. At this time we’ve found no CopyCat instances in our enterprise installed base. Appthority’s solution will also protect our customers from any new devices entering their environment with this malicious threat.
Our advice on staying protected from CopyCat and other malware threats is as follows:
- We must emphasize again how important it is to advise employees not to download apps from third-party stores
- Enterprises should continuously verify that no rooted or jailbroken mobile devices exist within their environments
- A Mobile Threat Defense solution should be in place to protect against mobile malware that can evade network security solutions and install itself on employee devices. Appthority’s Mobile Threat Protection solution not only defends against these threats, but also arms employees with the ability to identify safe or unsafe apps prior to downloading them to prevent the risk and need for remediation.