Check Point researchers have found attackers infecting the device with a strain of malware named RottenSys that aggressively promote ads on victims’ devices.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.
The specialists began the investigation after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. Researchers discovered the service does not provide any secure Wi-Fi, instead, it asks for many Android permissions.
The RottenSys malware implements two malicious techniques:
- The first consists of postponing operations for a set time.
- The second technique uses a dropper which does not display any malicious activity. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.
However, the malicious code relies on two open-source projects:
- The Small virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
- The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.
The botnet will have extensive capabilities including silently installing additional apps and UI automation, there is the risk that crooks will use it to carry on more dangerous activities such as ransomware distribution.
According to experts:
“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” continues the analysis.
The malicious code only targets the Chinese users at this time, It is bundled in Chinese apps and it is infecting mostly phones mobile devices, such as Huawei, Xiaomi, OPPO, vivo, LeEco, and Coolpad.
Cyber Attackers are financially motivated and are currently making around $115,000 every ten days. The experts calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.
More info is included in the report published by Check Point
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.