Researchers at Check Point discovered attackers infecting the device with a strain of malware dubbed RottenSys that aggressively display ads on victims’ devices.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.
The experts started the investigation after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. The researchers discovered the service does not provide any secure Wi-Fi, instead, it asks for many Android permissions.
The RottenSys malware implements two evasion techniques:
The malicious code relies on two open-source projects:
According to the experts, the botnet will have extensive capabilities including silently installing additional apps and UI automation, there is the risk that crooks will use it to carry on more dangerous activities such as ransomware distribution.
“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” continues the analysis.
The RottenSys malware was first spotted in September 2016, the number of victims grew across the time, today the number of infected systems is 4,964,460.
At the time, the malicious code only targets the Chinese users, it is bundled in Chinese apps and it is infecting mostly phones mobile devices, such as Huawei, Xiaomi, OPPO, vivo, LeEco, and Coolpad.
Attackers are financially motivated, according to Check Point botnet operators are currently making around $115,000 every ten days. The experts calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.
Further info is included in the report published by Check Point.
(Security Affairs – RottenSys, botnet)