Skip to main content

Pre-Installed Malware Found On 5 Million Popular Android Phones


Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.

According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.
"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.

Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.

RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.

Hackers Earned $115,000 in Just Last 10 Days

android-hacking-software
At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.
According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."

Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.

The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.

Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.
"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.
This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.

Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.

How to Detect and Remove Android Malware?


To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:
  • com.android.yellowcalendarz (每日黄历)
  • com.changmi.launcher (畅米桌面)
  • com.android.services.securewifi (系统WIFI服务)
  • com.system.service.zdsgt

YOU MAY ALSO LIKE:

Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

Chrome Web Browser Will Now Use 10% More RAM With Spectre Fix

A new security feature named ‘Site Isolation’ has been introduced for Google Chrome 67 which would nullify the effects of speculative execution side-channel attacks like Spectre. To put things to the perspective, Spectre is one of the two fundamental design flaws in the  modern processors, which allow programs to get access to the data for which it is not authorized. Malicious data can exploit this flaw to steal your password and other personal information. What is Site Isolation? The new Site Isolation feature introduced in Google Chrome 67 brings about a fundamental change to Chrome’s architecture. Now, Chrome has changed how its multi-process architecture worked and different tabs used different render processes. According to the new architecture, Chrome limits each renderer process to a single site. By this separation of processes, Google aims to prevent direct memory reading across different processes to safeguard users’ data. According to G...
Post a Comment
Read more

Google starts rolling out ‘Call Screen’ feature for Pixel smartphones

San Francisco, Dec 2 (IANS) Google has started rolling out a feature for its Pixel smartphones that lets users make use of the Google Assistant to see who is calling and why before they answer a call. The feature allows users to see a real-time transcript of how the caller responds so that they can then decide whether to pick up, respond by tapping a quick reply (for example, “I’ll call you back later”), or mark the call as spam and dismiss. “Call Screen is only available to English speakers in the United States who have Pixel 2, 2 XL, 3, or 3XL devices. If you don’t see Call Screen in the Phone app’s settings, it’s not available yet,” Google said. Call Screen, which can help users save the time spent on picking up unimportant calls from unknown numbers, does not use Wi-Fi or mobile data of the user. This feature does not work with third-party call recording and screen recording apps as these apps may interfere with how the feature works. It is better to turn off these app...
Post a Comment
Read more

Amazon, Reddit And Others Fail To Warn Us About Dumb Passwords

B elieve it or not, there is still a large number of people who use passwords such as “password,” “password123”, “[dog’s name]1” and others along the same lines. And in the era of sophisticated hacking, these passwords are not exactly “safe.” Before me, this is the first thing websites should inform you while setting up a password. But apparently, many big names are not doing enough to encourage non-terrible passwords, according to  the new research . Steve Furnell from the University of Plymouth has been keeping tabs on the websites like Amazon, Reddit, and Wikipedia for many years, carrying out similar assessments in 2007, 2011 and 2014. His 2018 survey examined practices of Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live, and Netflix. The study concluded that Amazon had the worst performance among all the names. It nearly accepted every kind of password of any length. On the other hand, Yahoo and Wikip...
Post a Comment
Read more