Android Malware dubbed RottenSys disguised as System Wi-Fi service found preinstalled in 5 million Android phones infected including the top brands in the market such as Samsung, HTC, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei.
More than 49% of the infected devices were shipped through Hangzhou based mobile phone supply chain distributor Tian Pai who also provide presale customization and customer services.
RottenSys Malware discovered by Check Point Mobile Security Team on a Xiaomi Redmi phone. The application asks sensitive android permissions instead of securing users Wi-Fi related service.
It employs a couple of evasion techniques, it initially postpone’s it’s malicious activity for a set of time and the dropper component doesn’t display any malicious activity.
Once the dropper installed and activated it downloads additional components to perform the malicious activities. RottenSys Malware downloads the additional components silently without user interaction by using the permission DOWNLOAD_WITHOUT_NOTIFICATION.
5 Million Android Phones Infected
Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”
RottenSys Malware uses MarsDaemon to keep their services active also it thwart device performance and drains the battery. The malware propagation started in September 2016 and by March 12/2018 it infected 4,964,460 devices.
Most targetted devices are Honor, Huawei, and Xiaomi. Researchers believe the malware entered the user’s device before purchase.
Researchers said it popped aggressive ads 13,250,756 impressions and 548,822 of which were translated into ad clicks within the lost 10 days. Attackers earned more than $115k with their malicious ad operation within this last 10 day alone.
If your Android device showing unknown ads on the home screen then go to the android system settings >> app manager >> Check for the following packages and remove it.
com.android.yellowcalendarz com.changmi.launcher com.android.services.secure com.system.service.zdsgt
“While investigating RottenSys we discovered evidence that the attackers are up to something far more damaging than simply displaying uninvited advertisements. Apparently, the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018; researchers said.