RottenSys botnet has taken over 5 million Android phones
Almost 5 million Android phones preinstalled with an Android malware dubbed “RottenSys” were dispatched from the factory and received by the customers, according to a report published by Check Point Research, a company specializing in digital security.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.
The infected brands include the top Android phones in the market such as Samsung, Xiaomi, Honor, Oppo, Vivo, Huawei and Gionee. All the infected devices have been distributed by an outsourced mobile phone supply chain distributor called Tian Pai, which is in Hangzhou, China.
According to Check Point Mobile Security Team, who discovered the malware on a Xiaomi Redmi phone, say that RottenSys is an advanced piece of malware that disguises itself as a tool to help manage Wi-Fi connections. But, instead of securing Wi-Fi related service of the users, the application asks sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are not related to the Wi-Fi service.
“According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys,” the researchers said.
RottenSys uses two evasion methods. The first is to postpone any malicious activity to avoid connection between the malicious app and the malicious activity.
In the second evasive tactic, RottenSys contains only a dropper component, which does not display any malicious activity at first. Once the device is active and the dropper is installed, it starts communicating with its Command-and-Control (C&C) servers to get the list of required components, which contain the actual malicious code.
RottenSys malware downloads and installs the additional components silently, using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission that does not need any user interaction.
Researchers said, “RottenSys is adapted to use the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation.”
Currently, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks,” researchers said. The attackers earned more than $115,000 with their malicious ad operation within the last 10 day alone.
Besides displaying uninvited advertisements, the attackers are also testing a new botnet campaign via the same C&C server since the beginning of February 2018, says the Check Point Research Team.
“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet. This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices,” they added.
To check if your Android device is infected with the malware, go to the Android system Settings >> App Manager >> Check for the following malware packages and uninstall it.
- android.yellowcalendarz (????)
- changmi.launcher (????)
- android.services.securewifi (??WIFI??)