According to a report published by Check Point, a company specializing in digital security, they have discovered a new family of widespread malware that targets more than 5 million users, whose purpose is to obtain fraudulent advertising revenues. They have called it RottenSys since it initially comes “disguised” as a WiFi service. The funny thing is that it reaches customers as soon as they acquire the phone, so we can find it in products of brands such as Samsung, Xiaomi, Honor, Oppo, Vivo, Huawei or Gionee. All infected devices have been sold by an external mobile telephony distributor to the supply chain, called Tian Pai, which is located in Hangzhou, China. Therefore, based on the information from Check Point, they initially discovered the malware on a Xiaomi Redmi terminal. Say that RottenSys is a piece of advanced malware that disguises itself as a tool to help manage WiFi connections. However, instead of securing the service related to users’ Wi-Fi connection, the application requests Android permissions, such as accessibility, access to the calendar reading, or permission to download in the background, none of them related to the WiFi service as such.
RottenSys, the Android malware that has infected more than 5 million devices
As far as it has been known, the RottenSys malware began to spread in September 2016, so at this time of 2019, almost 5 million devices are infected, researchers say. In addition, RottenSys uses two methods not to be detected, on the one hand, it postpones any malicious activity to avoid the relationship with the app as such. On the other hand, RottenSys initially shows no illicit activity, but once the device is active, it begins to communicate with C & C servers to obtain the list of components that are those contain the real malicious code. After this, the malware downloads and installs additional components in the background using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission, so it does not require any user interaction. This massive malware campaign launches an adware to all infected devices, displaying ads on the home screen of the device in the form of pop-ups or full-screen ads, all to generate fraudulent advertising revenue. In this case, RottenSys alone in the last ten days published more than 13 million “aggressive ads”, and more than half a million were altered into clicks on them, generating more than $115,000. Finally, we will say that, in addition to displaying unwanted advertisements, attackers are also testing a new botnet campaign through the same C & C server to turn the device into a link in a larger botnet. So, what do you think about this? Simply share all your opinions and thoughts in the comment section below.