According to new report by Israel-based IT security provider Check Point, CopyCat malware infected 14 million Android devices, rooting approximately 8 million of them, and earning the hackers behind the campaign approximately $1.5 million in fake ad revenues in two months.
The malware affected users mainly in Southeast Asia and spread to more than 2,80,000 Android users in the US, the company said in a blog post.
It said CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote - a daemon responsible for launching apps in the Android operating system - that allows the malware to control any activity on the device.
"It is unclear who is behind the CopyCat attack, however, there are several connections to MobiSummer, an ad network located in China," it added.
"The malware also refrains from targeting Chinese devices, suggesting the malware developers are Chinese and want to avoid any investigation by local law enforcement, a common tactic in the malware world," the blog post further said.
The malware uses a novel technique to generate and steal ad revenues.
According to the researchers, the campaign was spread via popular apps, repackaged with the malware and downloaded from third party app stores, as well as phishing scams.
However, there was no evidence that CopyCat was distributed on Google Play Store.