Check Point researchers have found attackers infecting the device with a strain of malware named RottenSys that aggressively promote ads on victims’ devices.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.
The specialists began the investigation after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. Researchers discovered the service does not provide any secure Wi-Fi, instead, it asks for many Android permissions.
The RottenSys malware implements two malicious techniques:
- The first consists of postponing operations for a set time.
- The second technique uses a dropper which does not display any malicious activity. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.
However, the malicious code relies on two open-source projects:
- The Small virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
- The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.
The botnet will have extensive capabilities including silently installing additional apps and UI automation, there is the risk that crooks will use it to carry on more dangerous activities such as ransomware distribution.
According to experts:
“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” continues the analysis.
The malicious code only targets the Chinese users at this time, It is bundled in Chinese apps and it is infecting mostly phones mobile devices, such as Huawei, Xiaomi, OPPO, vivo, LeEco, and Coolpad.
Cyber Attackers are financially motivated and are currently making around $115,000 every ten days. The experts calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.
More info is included in the report published by Check Point