A malicious software campaign, dubbed “CopyCat,” infected millions of devices running Google’s mobile Android operating system and raked in more than a million dollars through fraudulent advertising and app installations, researchers at the Israeli cybersecurity firm Check Point Software Technologies (CHKP) said Thursday.
The malware operation, which peaked during April and May 2016, spread to as many as 14 million phones and tablets and garnered as much as $1.5 million in the space of those two months, the researchers said. The epidemic, which Google all but quashed a year ago, appeared to have spread through third party app stores and phishing attacks, rather than through the official Google Play app.
Daniel Padon, a mobile security researcher at Check Point, told Fortune that his team reported the operation to Google in March soon after discovering it. By then Google already had taken care of much of the problem.
Google estimates that fewer than 50,000 devices are still affected. The search giant (GOOG) has since adapted its protections to block the malware from gaining a foothold on Android devices, even ones running older software versions, the company told Fortune.
During the time that CopyCat was in full force however, the malware gained “root” control over 8 million devices, and used that power to serve more than 100 million bogus ads and install 4.9 million apps on phones and tablets, generating substantial revenues for the cybercriminals. The malware achieved this by using a handful of exploits to take advantage of security holes in Android versions 5 and earlier, and then by hijacking a part of the Android systems called “Zygote,” a software function that manages app launches.
“This is the first adware discovered using this technique,” said Check Point researchers, while noting that the tactic first had been introduced by the money-stealing malware Triada. (For a good write-up on the Triada trojan, read this report from Kaspersky Lab, the Russian anti-virus firm.)
Get Data Sheet, Fortune’s technology newsletter.
CopyCat primarily affected devices in Southeast Asia—particularly in India, Pakistan and Bangladesh—although 280,000 people in the United States were also affected at its height. The researchers noted that the malware purposefully avoided targeting users based in China; they theorized that the perpetrators might be based there, and were seeking to avoid provoking investigation by local police.
Check Point researchers, in fact, traced the CopyCat campaign back to a 3-year-old ad-tech startup based in Guangzhou, China called MobiSummer. The malware operators and the startup shared infrastructure, remote services, and code signatures, the researchers said, although they were uncertain whether the company was a witting or unwitting agent.
“[W]hile these connections exist, it does not necessarily mean the malware was created by the company, and it is possible the perpetrators behind it used MobiSummer’s code and infrastructure without the firm’s knowledge,” the researchers said.
MobiSummer did not immediately respond to Fortune’s request for information.
Aaron Stein, a Google spokesperson, said that the company has been keeping tabs on a variation of the CopyCat malware for a couple of years. He added that Google Play Protect, a security feature formalized by the company in May which scans and removes malicious apps from phones, would now inoculate phones against these infections even if they were running older versions of Android.
“CopyCat is a variant of a broader malware family that we’ve been tracking since 2015. Each time a new variant appears, we update our detection systems to protect our users,” Stein said. “Play Protect secures users from the family, and any apps that may have been infected with CopyCat were not distributed via Play. As always, we appreciate researchers’ efforts to help keep users safe.”
Fraudulent advertising has become a lucrative way for crooks to make money online. Last year Check Point uncovered several ad fraud scams including “HummingBad,” which earned its perpetrators $300,000 a month, and another nicknamed “Gooligan,” which stole authentication tokens for more than 1 million Google accounts. Other recent scams include “Methbot,” which stole up to $5 million a day, and “YiSpecter,” which targeted Apple’s (AAPL) iOS operating system.
