Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android phones all over the world; almost 5 million android devices in their botnet network.
"The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service." according to checkpoint analysis report.
Experts found an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone ans started their investigation. They found that the application does not provide any secure Wi-Fi related service to users. Instead, it asks for many sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are not related to Wi-Fi service. Their key findings were:
- RottenSys, a mobile adware, has infected nearly 5 million devices since 2016.
- Indications show the malware could have entered earlier in the supplier chain.
- The attackers have been testing a new botnet campaign via the same C&C server.
The RottenSys malware implements two evasion techniques:
- The first technique consists of postponing operations for a set time.
- The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.
The malicious code relies on two open-source projects:
- The Small virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
- The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.
“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” according to the same the analysis.
According to the findings, the RottenSys malware began propagating in September 2016. By 12 March 2018; 49,64,460 devices were infected by RottenSys. The top impacted mobile devices brands are Honor, Huawei, and Xiaomi.
RottenSys is totally focusing on aggressive ad network for making huge profits. In the past 10 days alone, it displayed ads 13,250,756 times (commonly called impressions) and out of which 548,822 were converted into ad clicks. We tried to roughly calculate the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for each thousand impressions. According to these calculations, the attackers earned over $1,15,000 from their malicious operation in the last ten days alone!