Recently, a new widespread Android malware infection was reported that seems to have affected nearly 5 million devices. The name of the threat is RottenSys and according to researchers the malicious component comes pre-installed on newly-purchased Android smartphones. Devices from brands such as Samsung, Vivo, Hauwei, OPPO and others have been reported to contain the malware upon purchase. Currently, it is not clear who is responsible for the presence of a malicious component inside brand new devices from those brands. So far, the only thing that the infected devices have in common is that they have all been shipped by a Chinese distributor known as Tian Pai. It is currently not known whether the distributor has any part in the installation of the malware on the affected devices.
How does RottenSys function?
The researchers at Check Point Mobile Security Team, the team that detected the RottenSys malware campaign, have stated that the malicious component pre-installed on the devices is a highly-dangerous piece of malware capable of gaining most Android system permissions which would later allow the hackers behind the virus to execute a variety of shady tasks on the affected smartphones. In order not to raise any suspicion, the malware piece is disguised as a Wi-Fi service application and doesn’t look like anything dangerous at first sight. Also, to remain concealed and undetected, the insidious piece of malware doesn’t initially do anything harmful or suspicious inside the targeted device. The activity of RottenSys is delayed so as to avoid detection. Once RottenSys activates, it connects to the hackers’ C&C (Command and Control) servers from where the malware secretly obtains additional components that allow it to carry out its malicious tasks.
Uses of the malware
Currently, according to cyber-security experts, RottenSys is primarily used for aggressive display of advertising banners and pop-ups on the screens of the affected devices. Through this illegitimate advertising campaign, the developers of the malware are able to gain significant profits by applying the Pay-Per-Click model. This obstructive generation of ads, however, isn’t the only problem with RottenSys. Researchers warn that since the malware is capable of downloading other components onto the affected devices without the need to ask for a permission from the user, the virus might get used in a variety of other, more harmful ways. Furthermore, there’s already information that a lot of the targeted Android smartphones have already been made part of a huge botnet under the malware’s control. Due to the extensive abilities of the virus and the wide privileges that it is able to gain on the infected devices, there are many different ways in which this malware campaign could be exploited in future. Therefore, experts advise the owners of smartphones from the aforementioned brands which have been bought during the past two years to check their App managers for any of the following entries and remove (uninstall) them if any they turn out to be present:
- com. android.services.securewifi (系统WIFI服务)
- com. android.yellowcalendarz (每日黄历)
- com. system.service.zdsgt
- com. changmi.launcher (畅米桌面)