Android Malware dubbed RottenSys disguised as System Wi-Fi service found preinstalled in 5 million Android phones infected including the top brands in the market such as Samsung, HTC, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei.
More than 49% of the infected devices were shipped through Hangzhou based mobile phone supply chain distributor Tian Pai who also provide presale customization and customer services.
RottenSys Malware discovered by Check Point Mobile Security Team on a Xiaomi Redmi phone. The application asks sensitive android permissions instead of securing users Wi-Fi related service.
Also Read An Ultimate Checklist for Application Security Testing
It employs a couple of evasion techniques, it initially postpone’s it’s malicious activity for a set of time and the dropper component doesn’t display any malicious activity.
Once the dropper installed and activated it downloads additional components to perform the malicious activities. RottenSys Malware downloads the additional components silently without user interaction by using the permission DOWNLOAD_WITHOUT_NOTIFICATION.
Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”
RottenSys Malware uses MarsDaemon to keep their services active also it thwart device performance and drains the battery. The malware propagation started in September 2016 and by March 12/2018 it infected 4,964,460 devices.
Most targetted devices are Honor, Huawei, and Xiaomi. Researchers believe the malware entered the user’s device before purchase.
Researchers said it popped aggressive ads 13,250,756 impressions and 548,822 of which were translated into ad clicks within the lost 10 days. Attackers earned more than $115k with their malicious ad operation within this last 10 day alone.
If your Android device showing unknown ads on the home screen then go to the android system settings >> app manager >> Check for the following packages and remove it.
com.android.yellowcalendarz com.changmi.launcher com.android.services.secure com.system.service.zdsgt
“While investigating RottenSys we discovered evidence that the attackers are up to something far more damaging than simply displaying uninvited advertisements. Apparently, the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018; researchers said.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…