An on-going malware campaign that so far has claimed 5 million victims, an information security researcher team discovered. Reportedly, the malware dubbed as RottenSys has managed to create a massive army of botnets comprising of 5 million mobile devices from across the globe.
The malware is hidden in a System Wi-Fi service application that is already installed-by-default on countless models of smartphones manufactured by prominent companies including Honor, Huawei, GIONEE, Samsung, Oppo, Vivo, and Xiaomi.
According to the investigation report, information security training researchers believe that these firms cannot be held directly responsible for the malware and the devices must have been infected during supply chain phase. Probably the distribution firm or a rogue employee is to be blamed for the installation of malware.
The affected devices were shipped through the same Hangzhou, China-based mobile devices distributor Tian Pai. However, the researchers are not yet sure if this particular firm has any direct involvement in the installation of RottenSys malware.
RottenSys is a highly sophisticated and advanced program that acquires almost all sensitive permissions on an Android mobile phone to perform its malicious acts, information security training analysts claim. It asks for silent download permission (DOWNLOAD_WITHOUT_NOTIFICATION permission), accessibility service permission and user calendar read access privilege. The campaign started in September 2016 and until March 12, 2018, it has infected 4,964,460 devices.
The fake Wi-Fi service app manages to evade detection by employing a submissive approach in the beginning and doesn’t instantly start its malicious tasks. Later, the malware dropper component communicates with its C&C server to receive a list of components it needs. The required component is actually the malicious code. The malware is capable of assembling an army of botnets and within only ten days attackers have made profits of approx. $115,000.
“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times, and 548,822 of which were translated into ad clicks,” read a blog post from Check Point.
Originally the malware was used to display fraudulent ads on mobile devices’ home screen. Information security training researchers claim that since the onset of 2018, malicious threat actors have been trying to improve the malware code by adding a new module and created brand new malware campaign using the same C&C server. This campaign has remained active from February 2018.
“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet,” continue the blog post.
The botnet can perform a variety of tasks such as installing additional apps discreetly, automating the UI. Information security training researchers identified that a part of the botnets controlling mechanism is implemented in Lua scripts. The attacker can thus, re-use the existing malware distribution channel without any intervention and gain control of millions of devices.
Users can easily uninstall RottenSys dropper if only they are aware of the exact package name that is to be deleted. Currently, information security training experts are unsure how the hackers would use the army of botnets that they have assembled so far.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.