According to The Hacker News, massive rapidly increasing malware campaign infected almost 5 million Android devices across the globe. The malware dubbed RottenSys was detected masked as a “System Wi-Fi service” application and came pre-installed on millions of new devices manufactured by well-known companies, including Samsung, Vivo, Xiaomi, Huawei, Honor, and Gionee.
The infected handsets were shipped through Tian Pai, a mobile devices distributor based in Hangzhou. However, researchers mentioned that it is unknown if the company was involved in this malicious campaign.
Check Point Mobile Security Team initially detected this malicious campaign and noted that RottenSys is an advanced piece of malware. The malicious software does not provide any legitimate Wi-Fi security service, instead, it takes almost all infected device’s permissions to proceed malicious activities.
“According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys,” security team wrote.
In order to avoid detection, the application infected with the malware comes with no other malicious components and does not start malicious activities immediately. The RottenSys malware was created to communicate to its C&C servers in order to perceive a list of required components that actually included malicious codes.
The malware uses the “DOWNLOAD_WITHOUT_NOTIFICATION” permission because it does not need any consumers’ permissions or interaction.
At the present time, this rapidly growing malware campaign spreads the adware into every malicious device and shows ads on an infected handset’s home screen.
RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks.
In addition, attackers behind the malicious campaign can easily take a control of over infected devices because the RottenSys malware was created to install new components from its C&C servers. It is worth to mention that the investigation revealed some information about that the hacking group behind the RottenSys begun to turn millions of infected devices into a botnet.
According to the researchers, “Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.”
Users should be aware of how to detect and remove Android malware.
In order to check if you are infected, go to Android system settings and the App Manager. If there is any the following apps installed, then you are infected with the malware:
• com.android.yellowcalendarz (每日黄历)
- com.changmi.launcher (畅米桌面)
- com.android.services.securewifi (系统WIFI服务)
If you want to get rid of the malware, just simply uninstall these.