RottenSys malware found pre-installed on five million Android devices
PRE-INSTALLED MALWARE dubbed ‘RottenSys’ has infected nearly almost five million Android devices worldwide, according to Check Point Security.
The ‘advanced’ malware disguises itself as a ‘System Wi-Fi service’, and came pre-installed on millions of smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.
Check Point speculates that the malware was loaded onto the devices at a supply-chain level after discovering that all infected devices have been distributed by an outsourced mobile phone supply chain distributor called Tian Pai based in Hangzhou, China.
RottenSys claims to be a service that helps users manage WiFi connections, but rather asks for sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission.
Check Point notes that RottenSys uses two evasion techniques, the first of which is to postpone any malicious activity to avoid a connection between the malicious app and the malicious activity.
Secondly, the malware contains only a dropper component, which does not display any malicious activity at first. Once the device is active and the dropper is installed, it starts communicating with its Command-and-Control (C&C) servers to get the list of required components, which contain the actual malicious code.
RottenSys downloads these components silently, using the DOWNLOAD_WITHOUT_NOTIFICATION permission which does not require any user interaction.
The malware then goes on to push an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads, to generate fraudulent ad-revenues.
“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times, and 548,822 of which were translated into ad clicks,” Check Point says, adding that according to its calculations, the attackers earned more than $115,000 in the last 10 days alone.
The attackers might be up to something far more damaging, though, as Check Point claims that the attackers have been testing a new botnet campaign via the same C&C server since the beginning of February 2018.
Related: ‘Sophisticated’ Android malware spies on you and racks up huge phone bills
“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism,” it says.
“The payload which will be distributed can turn the victim device into a slave in a larger botnet. This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts.
“Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” µ