Earlier there were reports that cyrptocurrency mining apps were harming Android phones, also we came to know about malwares in banking apps. Google tighten the security of Android platform with the features of Android P, but still not everything is under user control. With the rise of technology, more or less the user’s security a big blunder now-a-days. It’s quite unexpected, but A new Malware – ‘RottenSys’ is found Pre-installed on phones from Big reputed companies.
Recently CheckPoint Mobile Security researchers have uncovered a new malware ‘RottenSys’ on millions of brand new smartphones from manufacturers like Xiaomi, Oppo, Vivo, Samsung, Honor, Huawei and Gionee. According to the Cyber-security researchers at Check Point, this new malware displays pop-up or full screen advertisements on the affected device’s home screen.
RottenSys Malware Discovery –
An unusual self-proclaimed system Wi-Fi service (系统WIFI服务) was found on a Xiaomi Redmi phones by the security researchers. That suspicious application does not provide any secure Wi-Fi related service to users. It asks for many sensitive permissions which are not related to Wi-Fi service such as accessibility service permission,user calendar read access and silent download permission. Which made the event suspicious that caught onto their eyes. RottenSys uses an open-sourced Android application virtualization framework named ‘Small’ which allows all malicious components to run alongside each other at the same time and achieve the combined malicious functionality of an extensive rough ad network. Then it pushes those advertisements on your device’s screen.
RottenSys uses another open source framework called MarsDaemon which also hampers the device’s performance and battery usage. Users from china are the common target by this malware as it’s adapted to use the Chinese ad platforms like Tencent and Baidu for its fraudulent Ad operations.
As per the report, this widespread ‘RottenSys’ malware infected nearly 5 million users for fraudulent ad-revenues. RottenSys uses two evasion techniques. The first is postponing its operation for a set time, to avoid connection between the malicious app and the malicious activity.
RottenSys’s Malicious Operation –
The “RottenSys” malware contains only a dropper component, which does not display any malicious activity at first. First it installs the dropper, and when it becomes active, it contacts its Command and Control (C&C) server that sends it a list of additional components required for its activity. These components contain the actual malicious code and are downloaded from the C&C server after the dropper receives the list. Actually this malware has many different variants, and all have been designed to communicate with their control servers without requiring any user-permission.
RottenSys downloads those components including three additional components using the DOWNLOAD_WITHOUT_NOTIFICATION permission that actually does not require any user interaction. And all of these occurs in front of our eyes but still we can’t notice it on our screen for this hidden type of activity.
Users Affected by RottenSys Malware –
This RottenSys malware started surfacing online in September 2016. As per reports, it infected around 4,964,460 devices By March 12, 2018. Moreover the report adds that this malware mostly affected devices from Honor, Huawei, and Xiaomi.
Money Made by the attackers –
What do you think ? How much this attackers have made from this Malware ? Well the report is eye popping. In the past 10 days alone RottenSys malware sent over 13,250,756 popup ads that generated around 548,822 ad clicks. If we calculate this on the basis of 40 cents for per thousand ads impression, the malware has already been able to earn over $115k for cyber-criminals in just a ten-day period.
Protect your smartphone from RottenSys –
Are Getting Ads on your brand new smartphone ? And want to get rid of this ‘RottenSys’ from your device ? well the cyber security researchers have found an easy solution for this. All you need to do is just go to Settings > App Manager and check for any of the listed package name from below, and if you find any of them just uninstall it.