Google patches vulnerabilities for its mobile operating system Android as soon as the exploits are discovered, but that hasn’t stopped a mobile malware called CopyCat from infecting over 14 million devices in the last year by targeting old vulnerabilities.

CopyCat, first discovered by researchers at mobile security firm Check Point, has been spread through repackaged versions of popular apps that are injected with malicious code and distributed through third-party app stores and phishing scams.

Read: Android Malware: Apps In Google Play Store Spread 'Judy' Adware Attack To Nearly 40 Million Phones

CopyCat makes use of old, known security exploits to infect a device—a method that is effective because even when a security patch is issued for a known vulnerability, device owners install those updates infrequently and leave themselves at risk for attacks.

Once a user is tricked into installing a compromised app, either by failing to vet the app in a third-party marketplace or by accidentally installing it from a malicious link, CopyCat laws low on the device to avoid detection. Once a user restarts the device, the malware goes to work attempting to root the device to gain full administrative access to the system.

The malware is equipped with propagation methods to exploit six different known Android vulnerabilities. The exploits are all quite dated, with the most recent ones being patched two years ago.

Despite the age of the exploits, the attack has been incredibly effective. CopyCat has infected more than 14 million devices globally in the last year and has rooted eight million of those infected handsets—a 54 percent success rate that is nearly unheard of for most malware.

Read: FalseGuide Android Malware: More Than 600,000 Phones Turned Into Money-Generating Botnet

With total control over eight million devices, the malicious actors behind CopyCat were able to generate funds for themselves by displaying fraudulent advertisements on an infected user’s device. In just a two month period, CopyCat earned the attackers about $1.5 million.

Twenty-six percent of the infected devices were used to display the fake ads, while 30 percent of devices were used to steal credits through referral programs for downloading apps onto the device through the Google Play Store—even though the Google Play Store itself was not used to spread CopyCat.

Beyond just using the compromised phones and tablets to generate revenue, the attackers also stole information from the devices hit by CopyCat. The malware would record the device brand, model, OS version and country it was operated in and sent that information to a command and control server where it could be recorded and accessed by the attackers.

Google has been able to get control of the campaign, which peaked in April and May 2016. The attack primarily hit Android users in Asia but was relatively widespread, infecting more than 280,000 devices in the United States.

Even with Google on top of the attack, users can still be left at risk if they fail to take basic precautions to protect their device. In the case of CopyCat, simply keeping up with security updates would have been enough to avoid infection in most cases.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.

RELATED STORIES
Security Cybercrime Malware Security