RottenSys Malware: Almost 2 Years and Still Counting!

Mobile Security Team Check Point recently found a huge malware campaign that has already affected 5 million Android users. This means that more than 5 million users might not even know if they have a malware installed on their device’s.

Malware termed as RottenSys is a malware that hides in device’s Wifi service application. This service application is a pre-installed service on several models of smartphone. These models include phones made by many big brands like Huawei, Gionee, Oppo, Vivo, and Samsung as well.

According to reports, a team of researchers are assuming that these brands cannot be claimed directly for the malware. And the devices might have been infected during the warehouse and supply chain. Indirectly the supply chain is being held responsible for spreading this malware called ‘RottenSys’.

All the devices that are affected were being shipped through the common distributor. According to reports, they were all supplied from city Hangzhou by the China-based mobile service distributor named Tian Pai. The team of Check Point is still not assured if the distributor was directly involved or not in spreading RottenSys malware to Android devices.

Also Read : RedDrop New Malware Threat for Android Users

RottenSys as claimed by the Check Point researchers, is an extremely complex and advanced malware that can attain most of the sensitive permissions and information on an Android device. For example, it can ask for silent download permission, which means that it will download programs and applications without displaying the notification and taking permission.

This malware was found in September 2016, and till now it has infected almost 4,964,460 Android devices.

In RottenSys the false WiFi application manager tries to avoid detection at first, so that malicious tasks start as soon as the malware is installed. Submissive approach is used for doing this. The malware containing component then comes in contact with C&C server for receiving the list of resources it needs, that also contains malicious codes.

A recent blog from Check Point stated that “RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times, and 548,822 of which were translated into ad clicks.”

In an add-on to the statement Check Point also mentioned in the blog that “The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet.”

The malware was originally deployed to display fake ads on home screen. The developers of this malware are also trying to improve the codes for malicious activities by using the C&C server. The new malware modules are being added in already existing programs so that user has no option other than to pay or shut down their device.

It is capable of deploying an army of botnets. And in only 10 days, the active actors have already made $115,000 of profit.

RottenSys

These army of botnets can perform various unnecessary activities like installing additional apps without the permission and can automate the user interface (UI) as well. Researchers found out that this mechanism was executed using Lua Scripts. Thus, making it possible for attackers to re-use the already installed malware and gain control over other devices as well using the same.

Must Read : Top 10 Malware Myths and Facts

Android users affected by RottenSys can easily uninstall the malware. How?

If the device is infected with the file names given below or the malware package dropper name, they can simply uninstall these files and packages by themselves.

Here is what they all have to do:

1. Go to Android System Settings

2. Then go to App Manager

And look for the package names that are given below and simply uninstall them.

  • android.yellowcalendarz
  • changmi.launcher
  • android.services.securewifi
  • system.service.zdsgt

If you find this helpful please let us know. Give us your feedback in the comment box below.

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *