A Chinese strain of malware called RottenSys managed to infect nearly 5 million Android devices.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” the analysis of Check Point states.
The security researchers started investigating the issue after discovering an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. What the experts found is that the service does not provide any secure Wi-Fi, asking for a number of Android permissions instead.
The RottenSys malware involves two evasion techniques:
- The first technique consists of postponing operations for a set time.
- The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.
The malicious code relies on two open-source projects:
- The Small virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
- The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.
The security researchers claim that the RottenSys botnet will have extensive capabilities including silently installing additional applications and UI automation. For that reason, there is a risk that hackers will use the botnet for more dangerous activities like distributing ransomware.
“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” the researchers’ analysis reads.
The experts first noticed RottenSys in September 2016, however, since then the number of infected systems has reached 4,964,460.
Currently, the malware only targets Chinese users, infecting mostly mobile devices, such as Huawei, Xiaomi, Coolpad, LeEco, vivo, and OPPO.
According to the experts, the attackers are financially motivated, making approximately $115,000 every ten days.