Showing posts with label copycat malware. Show all posts
Showing posts with label copycat malware. Show all posts

Wednesday, 12 July 2017

CopyCat | CopyCat Virus For Android Affecting Zygote Android

CopyCat, A new adware has infected about 14 million of Android devices around the world, with the majority hitting Asia (55%), followed by Africa (18%), and then the Americas (12%). This malware is believed to be spreading to Android devices in Southeast Asia, but certain reports confirmed that this Adware has already hit more than 280,000 handsets in the US. This malware attacked one of the enterprise of Check point researchers and then check point researchers ran across copycat virus in march of this year. The security company believes the CopyCatVirus campaign hit its peak between April and May of 2016.

CopyCat virus

How does it work into your mobile?

CopyCat virus, A malware with very well planned capabilities which includes rooting of devices, establishing persistency and injecting code into Zygote OS for Android.
Zygote Android is a daemon which is always responsible for launching of apps in Android OS which allows the malware to control any kind of activity on the device. A classic kind of technology is used by CopyCat virus to conduct all kinds of ad fraud. Copycat hijacks the roots in the user’s device once infected and then allowing the attackers to gain complete access of the infected device. This leaves the user defenseless against the infection. 

Damaging Effects of CopyCat-

1.       Code sharing with hacking community - the sophisticated capabilities developed by adware developers can be adopted by other malware developers, and used to commit bigger crimes.
2.       Theft of sensitive information – Some adware, such as Gooligan, steal sensitive information from their victims, which can later be sold to third parties for monetary gains
3.       Device rooting or jailbreaking – Adware frequently roots or jailbreaks devices, thereby breaking the built-in security mechanisms of Android or iOS, leaving victims defenseless to even the lowest level kind of hacks.

Zygote | Zygote Android - Rise Of Mobile Threats

There is a very amazing part of Android Operating system named as zygote android. Well if you have been an employee of android before then you must have worked on running the ps command and should have seen that all the applications of android have the same parent PID or say PPID. A very different approach is used by android to start a process and to ensure that the application startup is snappy. This whole process is named as ZYGOTE and all the android applications are derived from it.

Zygote Android Virus
Zygote Android Virus

Why Zygote?

Every process in android starts by forking the parent process which then goes through numerous setup steps and this also includes loading of libraries and resources.  This process consumes a lot of time and is very hard to notice on our desktops. This process setup is noticeable to the end users and also not all devices are of high spec in case of Android. Therefore to normalize the process, startup time on various devices starts the Android cold process during OS startup because of it only the applications are forked whenever required. This full process is called as Zygote in Android.

Zygote Startup?

The Android device is kept to switch on mode and after all the booting process the init system starts the process and runs the /init.rc file to setup various environment variables, mount points and start native daemons etc. During the execution of init.rc this is the time when the Zygote is started.
The initialization of Zygote can be easily simplified into following steps:
1.      Register Zygote socket (listens for connections on /dev/socket/zygote) for requests to start new apps.
2.      Preloads resources.
3.      Preloads all java classes.
4.      Opens the socket.
5.      Starts the system server (not covered in this post).
6.      Listens to the connections.