17 Mar 2018

Researchers have found an enormous continuously growing malware campaign which has infected around 5 million mobile devices worldwide.

The malware called Dubbed RottenSys, was concealed as a ‘System Wi-Fi service’ app and arrived pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.

These infected devices were shipped through a Hangzhou-based mobile phone distributor named Tian Pai, but the involvement of the company is not sure here.

This malware campaign was discovered by Check Point Mobile Security Team and they say that RottenSys is an advanced piece of malware that are capable of taking all the sensitive Android permissions to enable its malicious activities though they do not provide any Wi-Fi related services.

According to the team the RottenSys malware began generating in September 2016 and by March 12, 2018, around 4,964,460 devices were infected.

In order to avoid being detected the fake System Wi-Fi service app comes initially with no malicious component and doesn’t start any malicious activity. But the RottenSys are designed in such a way so as to communicate with its command-and-control servers and gets the list of required components, which contain the actual malicious code. After which RottenSys downloads and installs them using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission which requires no user interaction.

During this time the malware campaign drives an adware component to all infected devices which will display advertisements on the device’s home screen either as a pop-up windows or as a full-screen ad to get ad-revenues.

Researches mentions that RottenSys is an extremely aggressive ad network and that in the past 10 days alone, it created ads 13,250,756 times out of which 548,822 were translated into ad clicks.

The malware has already created more than $115,000 in the last 10 days alone, but it is believed that the attackers are up to something else which might cause more damaging issues.

RottenSys has been designed to download and install any new components from its C&C server which makes it easier for the attackers to take full control over millions of infected devices.

Upon further investigation it is reported that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network. Some of the affected devices were installing a new RottenSys component which provides the attackers more possibilities such as silently installing additional apps and UI automation.

It is also found that a part of the controlling mechanism of the botnet is implemented in Lua scripts. The attackers could re-use their existing malware distribution channel and can easily get control over millions of devices.

How to Detect and Remove Android Malware?

Follow this simple procedure to check if your device is being infected with this malware
Go to Android system settings→ App Manager, and check for the following possible malware package names:

com.android.yellowcalendarz

com.changmi.launcher

com.android.services.securewifi

com.system.service.zdsgt

If any of the above-mentioned package is in your list of your installed apps, immediately uninstall it.

Technical Writer,  Blogger,

Leave your thought