Thursday, March 28, 2024

5 Million Android Phones Infected with Pre-installed RottenSys Malware

Android Malware dubbed RottenSys disguised as System Wi-Fi service found preinstalled in 5 million Android phones infected including the top brands in the market such as Samsung, HTC, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei.

More than 49% of the infected devices were shipped through Hangzhou based mobile phone supply chain distributor Tian Pai who also provide presale customization and customer services.

RottenSys Malware discovered by Check Point Mobile Security Team on a Xiaomi Redmi phone. The application asks sensitive android permissions instead of securing users Wi-Fi related service.

Also Read An Ultimate Checklist for Application Security Testing

It employs a couple of evasion techniques, it initially postpone’s it’s malicious activity for a set of time and the dropper component doesn’t display any malicious activity.

Once the dropper installed and activated it downloads additional components to perform the malicious activities. RottenSys Malware downloads the additional components silently without user interaction by using the permission DOWNLOAD_WITHOUT_NOTIFICATION.

5 Million Android Phones Infected

Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”

RottenSys Malware uses MarsDaemon to keep their services active also it thwart device performance and drains the battery. The malware propagation started in September 2016 and by March 12/2018 it infected 4,964,460 devices.

Most targetted devices are Honor, Huawei, and Xiaomi. Researchers believe the malware entered the user’s device before purchase.

Researchers said it popped aggressive ads 13,250,756 impressions and 548,822 of which were translated into ad clicks within the lost 10 days. Attackers earned more than $115k with their malicious ad operation within this last 10 day alone.
5 Million Android Phones Infected

If your Android device showing unknown ads on the home screen then go to the android system settings >> app manager >> Check for the following packages and remove it.

com.android.yellowcalendarz 
com.changmi.launcher 
com.android.services.secure 
com.system.service.zdsgt

“While investigating RottenSys we discovered evidence that the attackers are up to something far more damaging than simply displaying uninvited advertisements. Apparently, the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018; researchers said.

Website

Latest articles

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...

ZENHAMMER – First Rowhammer Attack Impacting Zen-based AMD Platforms

Despite AMD's growing market share with Zen CPUs, Rowhammer attacks were absent due to...

Airbus to Acquire INFODAS to Strengthen its Cybersecurity Portfolio

Airbus Defence and Space plans to acquire INFODAS, a leading cybersecurity and IT solutions...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles