Dubbed CopyCat, this malware has the power to root infected devices, establish persistency, and infect malicious code into Zygote. Zygote is a daemon responsible for launching apps on Android. Which means the operators would have full access to the devices.
According to security researchers who discovered this malware strain, CopyCat has infected 14 million devices and rooted nearly 8 million of them, had 3.8 million devices serve ads, and 4.4 million of them were used to steal credit for installing apps on Google Play.
Researchers believe most of the victims got infected through third-party app downloads and phishing attacks.
The success of the campaign shows that millions of Android users rely on old, unpatched, unsupported devices.
CopyCat disguises itself behind a popular third party Android app. Once downloaded, the malware begins to collect data bout the device and downloads rootkits to help root the victims phone.
After the rooting is completed, the CopyCat malware removes security defenses from the device and throws code into the Zygote app launching process to fraudulently install apps and display ads and generate revenue.