Industry Observations

The Sad Tale of the Copycat Hijacker

copycat malwareAs I checked the technology news today I noticed a headline that read “14 million devices infected by the CopyCat Malware last year”. The CopyCat malware exploits some known vulnerabilities in older versions of Android which allows an attacker to root the victim’s phone.The CopyCat malware then can install applications and will hijack ads from your phone, effectively paying the attacker each time an ad pops up. 

The real issue here is that Google knows about these security flaws and the Play Store actively looks for applications that can exploit this vulnerability. However, if a user bypasses the Play Store and instead opts to install it from a third party store or directly from a website claiming to be the real app, the security control that the Play Store has is useless. Even more frustrating than the fact that millions of devices were hacked: users have to change a setting to allow applications to install that are not downloaded from the Play Store. A user must knowingly go to the settings menu, then security, then scroll down to unknown sources and enable, which prompts the user with a message similar to ‘this is a bad idea, bad things can happen if you do this. If you want to do this, it’s not our fault, we’re begging you, don’t do this’. 

After all these warnings, the Play Store’s ability to block this and the fact that users have to purposefully go in and turn this off makes it mind boggling how 14 million devices were effected. It’s clear that a great many users will sacrifice security in order to download something they really want. We need to change this culture. As we move most of our life into the digital realm, there are huge risks that people aren’t aware of yet. When we used physical ATMs, we knew not to go to the one in the unsafe neighborhood at 3am alone. We knew not to wave that cash around after we took it out. We knew not to give out our PIN to anyone. However, the shift to digital has been so quick, many people are not aware of the dangers this can pose. In fact, even when we alert the user to danger, this is often ignored because the consequences either are not known, or are accepted because the result “can’t be that bad”.

As a society, we need to make sure that security becomes second nature to us in our digital life. We need to teach children at an early age what security means and what to look out for. Just like we tell kids not to talk to strangers, we also must enforce that they don’t talk to strangers on online message boards, or install unknown applications, or click on a link in an email. 

This problem will continue to get worse and worse until we as a society embrace security and start thinking about it like we think of our physical security. Here’s hoping next year there will be significantly less then 14 million people effected by a very preventable malware attack.