In a shocking revelation, it was confirmed that at least five million Android devices infected by a pre-installed malware called “RottenSys” were dispatched from the factory. The compromised devices are now in the hands of users around the globe.
The discovery was made by Check Point Research, a cybersecurity firm. In their detailed report, researchers confirmed that a widespread malware has found its way into a substantial number of Android phones.
The shocking aspect of this report is that the malware made entrance into the mobile phones as early as the devices were in their production phase and disguised itself as a completely different program, making it difficult for antivirus apps or security researchers to detect it.
According to the report submitted by the Check Point Research team, the malware is making use of the open-source nature of the Android system to fraudulently make ad revenue.
The RottenSys malware is disguised as a System Wi-Fi Service, which may seem legitimate from the perspective of the user.
Phone Brands Affected by RottenSys
Some of the major mobile phone manufacturers of the world are affected by this newly identified malware. While Chinese manufacturers are often found in such lists, the brands affected by the RottenSys malware include some major companies like Samsung, Huawei and Xiaomi. The new brands which have made their way into the smartphone market and have gained a strong user base, like Gionee, Vivo and Oppo, have also made their way to the list of brands affected.
The Check Point security researchers found the malware initially on the Xiaomi Redmi phone. Redmi is a relatively unknown model in the Western market as it’s a cheap phone targeted towards Asian countries.
The researchers further probed into the issue to find that the malware not secluded to the Xiaomi brand, but it’s found on many other devices as well.
Outsourced Manufacturing Led to the Issue
The research team found a trail of clues that led to the origin of the malware. The Xiaomi phone was infected because it was manufactured by the third-party supplier known as Tian Pai. The manufacturing plant is located in Hangzhou, China.
As expected, the supplier also manufacturers the hardware for major brands like Samsung and newer entrants like Gionee which led to the malware being spread to a wide range of devices which were sold throughout the world.
Security experts confirmed that the RottenSys malware is an advanced piece of coding which had the capability to disguise itself as a tool that Android uses to manage its Wi-Fi connections. When they further probed into the permissions the code seeks, the researchers confirmed that it asks for additional, non-related permissions such as read access to the user’s calendar, accessibility service permission and permission to silently download files.
An Evasive Malware Strategy
RottenSys has used some clever tactics to evade the eyes of Android’s security system and outside security experts. The malware was originally created and installed in September 2016. With the manufacturer working on multiple orders, it was successfully implemented in approximately 4,964,460 devices.
The malware avoids triggering a malware activity so as to stop security apps from recognizing that it’s not related to Wi-Fi services.
The second strategy is quite tactical, as it uses a dropper comment which is activated only when the device is switched on. It later sends a request to the Command and Control server after which the actual malware will be installed on a user’s smartphone.
The app, with its access to download without notification, can get the malware from the server without notifying the user at all, as everything will be carried out in the background.
RottenSys Malware Turned into Aggressive Adware
When security experts managed to find that RottenSys is being disguised as Wi-Fi services, the app was tweaked to act as an aggressive adware rather than malware lurking in the corner.
The app made use of Guang Dian Tong, which is the Tencent ads platform, and the Baidu ad exchange to force ads to users.
By pushing ads right into the device’s interface, many users are forced to click on the advertisements—earning a massive sum for the hackers behind the malware. According to statistics, the RottenSys malware on Android mobile phones pushed ads that received 13,250,756 impressions. Additionally, around 548,822 people clicked on it.
As a result, whoever is behind the malware has earned about $115,000 within the past 10 days.
How to Remove Rottensys Malware from Your Android Device
Not all devices are infected by the virus, but considering that over five million mobile phones are infected, it’s important to check if your device is one of them. Here’s how:
- Head to the System Settings page.
- Tap on Android App Manager.
- Check for the malware packages. If you find any of the below-listed files, click on it and uninstall it.
- android.yellowcalendarz (每日黄历)
- changmi.launcher (�米桌面)
- android.services.securewifi (系统WIFI服务)
A security package is expected to be rolled out by the affected smartphone brands to automatically find and remove the malware from your Android phone. But in the meantime, it won’t hurt to do it yourself rather than wait for the company to do it as an update.
The Check Point research team further suggests that the creators of RottenSys are working on a new botnet attack which will make use of a dropper component and take control of millions of devices around the globe.
The botnet will make every device under the control of a larger botnet by using Lua script, a particular programming language.
A valid statement from the manufacturers of the affected smartphones is expected, and security experts are working to bring the botnets under control soon.