RottenSys malware infects nearly 5 million Android devices
According to securityaffairs on March 14 news, security company Check Point this week revealed a malicious software family called RottenSys – by disguising as a system Wi-Fi service, increase advertising revenue. According to the report, since 2016, the mobile advertising software has infected nearly 5 million Android devices, of which the most affected ones include Glory, Huawei, and Xiaomi.
Check Point said that “The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service“. It will require many sensitive Android permissions, such as accessibility service rights that are not related to Wi-Fi services, user calendar read permission, and so on.
According to Check Point’s survey, a malicious gang uses RottenSys to make a huge profit, which can reach $115,000 every 10 days. At present, the top mobile phone brands affected by infection include Huawei Glory, Huawei, Xiaomi, OPPO, and vivo. And it should be noted that due to the wide range of features of RottenSys, an attacker may also use it to make more destructive behavior than advertising.
Image: checkpoint
Details of the RottenSys malware section:
Malware implements two escaping techniques:
- The first technique consists of postponing operations for a set time.
- The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.
Malicious code relies on two open source projects:
- The Small virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
- The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.
Mitigation
Locating the source of rough aggressive advertisement displayed on Android home screen is always challenging for common users. Mitigating is even harder. Luckily, Users can uninstall the RottenSys dropper if they know the exact package name to remove. If your brand new phone is suffering from unknown ads on the home screen, please go to Android system settings, then to app manager, and look for the following possible malware package names and uninstall them:
Package Name App Name com.android.yellowcalendarz 每日黄历 com.changmi.launcher 畅米桌面 com.android.services.securewifi 系统WIFI服务 com.system.service.zdsgt
Source: SecurityAffairs
