Pre-Installed Malware Found On 5 Million Popular Android Phones

Started By: gg_APPUT59 Started On: 2018-3-16 19:07:07
2673 7
Edited by gg_APPUT59 at 2018-3-16 19:09

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.
According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.

"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.

Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.

RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.
Hackers Earned $115,000 in Just Last 10 Days
At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.

"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.
According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."

Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.

The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.

Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.

"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.
This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.

Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.

How to Detect and Remove Android Malware?

To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • com.android.yellowcalendarz (每日黄历)
  • com.changmi.launcher (畅米桌面)
  • com.android.services.securewifi (系统WIFI服务)
  • com.system.service.zdsgt
If any of above is in the list of your installed apps, simply uninstall it.
MAY I PLEASE HAVE EVERYONE'S ATTENTION, BE CAREFUL, YOU'LL NEVER KNOW WHEN YOU'LL HAVE IT.


ollim
Honeycomb
2# 2018-3-16 19:53:16
Thanks for the warning! Checked my Mix and couldn't find any of the mentioned packages. Tried to look for them with the File Manager as well from the Android -folders, but not there either. So far so good...
Reply

gg_b7Vi806
Honeycomb
3# 2018-3-16 20:57:01
Muchas gracias por la advertencia y la información facilitada.

Saludos.
Reply

gg_APPUT59
Global moderators
4# 2018-3-17 08:39:06
ollim replied at 2018-3-16 19:53
Thanks for the warning! Checked my Mix and couldn't find any of the mentioned packages. Tried to loo ...

Good to know! Keep safe
Reply

gg_APPUT59
Global moderators
5# 2018-3-17 08:39:19
gg_b7Vi806 replied at 2018-3-16 20:57
Muchas gracias por la advertencia y la información facilitada.

Saludos.

Gracias!
Reply


6# 2018-11-18 23:57:34
Holly snap, I can imagine to have telephone locked by ransomware in a while
Reply


7# 2018-11-19 00:06:36
have you heard of maybe of GlobeImposter 2.0 crypto ransomware? I have heard it might kind of hide for a while to strike later, also at Android and Mac, not only with Windows
Reply


8# 2019-2-5 23:44:55
thank you for sharing.
Reply
You have to log in before you can reply Login | Register now Sign in with facebook Sign in with google

Points Rules

International