Friday, November 1, 2024
HomeSecurity News5 Million Android Phones Infected with Pre-installed RottenSys Malware

5 Million Android Phones Infected with Pre-installed RottenSys Malware

Published on

Malware protection

Android Malware dubbed RottenSys disguised as System Wi-Fi service found preinstalled in 5 million Android phones infected including the top brands in the market such as Samsung, HTC, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei.

More than 49% of the infected devices were shipped through Hangzhou based mobile phone supply chain distributor Tian Pai who also provide presale customization and customer services.

RottenSys Malware discovered by Check Point Mobile Security Team on a Xiaomi Redmi phone. The application asks sensitive android permissions instead of securing users Wi-Fi related service.

- Advertisement - SIEM as a Service

Also Read An Ultimate Checklist for Application Security Testing

It employs a couple of evasion techniques, it initially postpone’s it’s malicious activity for a set of time and the dropper component doesn’t display any malicious activity.

Once the dropper installed and activated it downloads additional components to perform the malicious activities. RottenSys Malware downloads the additional components silently without user interaction by using the permission DOWNLOAD_WITHOUT_NOTIFICATION.

5 Million Android Phones Infected

Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”

RottenSys Malware uses MarsDaemon to keep their services active also it thwart device performance and drains the battery. The malware propagation started in September 2016 and by March 12/2018 it infected 4,964,460 devices.

Most targetted devices are Honor, Huawei, and Xiaomi. Researchers believe the malware entered the user’s device before purchase.

Researchers said it popped aggressive ads 13,250,756 impressions and 548,822 of which were translated into ad clicks within the lost 10 days. Attackers earned more than $115k with their malicious ad operation within this last 10 day alone.
5 Million Android Phones Infected

If your Android device showing unknown ads on the home screen then go to the android system settings >> app manager >> Check for the following packages and remove it.

com.android.yellowcalendarz 
com.changmi.launcher 
com.android.services.secure 
com.system.service.zdsgt

“While investigating RottenSys we discovered evidence that the attackers are up to something far more damaging than simply displaying uninvited advertisements. Apparently, the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018; researchers said.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users

A new critical vulnerability has been discovered in PDF.js, which could allow a threat...

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere

LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series...

Email Header Analysis – Verify Received Email is Genuine or Spoofed

Email Header Analysis highly required process to prevent malicious threats since Email is...