Even as Google continues to implement new policies to make Android safer, security researchers keep finding severe flaws in the OS that could potentially compromise the privacy and security of millions of users around the world. One of the disconcerting things about Android security is the growing instances of malware being shipped pre-installed on phones and tablets. What’s even more alarming is that these malware aren’t only being shipped on devices from smaller, lesser known brands, but on phones from giant multinational enterprises, such as Huawei, Xiaomi, and even Samsung.
Meet Pre-installed Malware ‘RottenSys’
Cyber-security researchers at Check Point Mobile Security have now detailed a new malware called RottenSys that they claim was found on millions of brand new smartphones from several reputable brands, such as Honor, Huawei, Xiaomi, Oppo, Vivo, Samsung and Gionee, among others.
The researchers stopped short of directly accusing the vendors of complicity, pointing out instead that a Hangzhou-based mobile phone distributor called Tian Pai was the common link between all the affected units, irrespective of the brand. The malware displays advertisements on the affected device’s home screen, as pop-up windows or as full-screen ads.
Spotting the Malware
CheckPoint researchers first spotted RottenSys in a Xiaomi Redmi device, where it was disguised as a ‘System Wi-Fi service’, although, it does not provide any Wi-Fi service at all. It also asks for a bunch of permissions that have nothing to do with Wi-Fi anyways, like, accessibility service permission, user calendar read access and silent download permission (see image below).
RottenSys in Numbers
As far as the timeline is concerned, the Check Point Mobile Security team says that the RottenSys malware began propagating in September 2016, and by March 12, 2018, as many as 4,964,460 devices were infected by it. Users in China seem to be the primary targets of the malware, seeing as it is adapted to use the ad platforms of Chinese tech giants Tencent and Baidu for its fraudulent operations.
Modus Operandi
According to researchers, the malware has many different variants, and all have been designed to communicate with their control servers without requiring any user-permission. The apps themselves apparently don’t ship with any malicious code, but download them silently in the background from their command centers using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission that doesn’t require any user interaction.
What’s staggering is that RottenSys goes much beyond being a (relatively) harmless adware. According to CheckPoint, the cyber-criminals deploying the software have also been testing a new botnet campaign via the same command-and-control server.
Show Me the Money
The researchers have also detailed exactly how the software avoids detection while going about its merry ways, increasing data download charges, reducing battery life, affecting performance, and putting stress on the hardware. According to the company, RottenSys “popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks”.
At a conservative estimate of 20 cents for each click and 40 cents for each thousand impressions, the researches believe the software has already been able to earn over $115k for cyber-criminals in just a ten-day period.
How to Get Rid of RottenSys From Your Device?
Luckily, the researchers have also detailed an easy way of getting rid of the malware, in case you have it on you device. All you need to do is go to Settings > App Manager and then check if any of the following unwanted services are active on your device. If they are, just uninstall the corresponding app, and you’ll be free from the malware.
