Friday, March 29, 2024

5 Million Android Phones Infected with Pre-installed RottenSys Malware

Android Malware dubbed RottenSys disguised as System Wi-Fi service found preinstalled in 5 million Android phones infected including the top brands in the market such as Samsung, HTC, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei.

More than 49% of the infected devices were shipped through Hangzhou based mobile phone supply chain distributor Tian Pai who also provide presale customization and customer services.

RottenSys Malware discovered by Check Point Mobile Security Team on a Xiaomi Redmi phone. The application asks sensitive android permissions instead of securing users Wi-Fi related service.

Also Read An Ultimate Checklist for Application Security Testing

It employs a couple of evasion techniques, it initially postpone’s it’s malicious activity for a set of time and the dropper component doesn’t display any malicious activity.

Once the dropper installed and activated it downloads additional components to perform the malicious activities. RottenSys Malware downloads the additional components silently without user interaction by using the permission DOWNLOAD_WITHOUT_NOTIFICATION.

5 Million Android Phones Infected

Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”

RottenSys Malware uses MarsDaemon to keep their services active also it thwart device performance and drains the battery. The malware propagation started in September 2016 and by March 12/2018 it infected 4,964,460 devices.

Most targetted devices are Honor, Huawei, and Xiaomi. Researchers believe the malware entered the user’s device before purchase.

Researchers said it popped aggressive ads 13,250,756 impressions and 548,822 of which were translated into ad clicks within the lost 10 days. Attackers earned more than $115k with their malicious ad operation within this last 10 day alone.
5 Million Android Phones Infected

If your Android device showing unknown ads on the home screen then go to the android system settings >> app manager >> Check for the following packages and remove it.

com.android.yellowcalendarz 
com.changmi.launcher 
com.android.services.secure 
com.system.service.zdsgt

“While investigating RottenSys we discovered evidence that the attackers are up to something far more damaging than simply displaying uninvited advertisements. Apparently, the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018; researchers said.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles