A new strain of malware named RottenSys has been discovered targeting users for fraudulent ad revenues.
Experts at Checkpoint said that the malware has already infected around 5 million devices since 2016 and since the beginning of February 2018 attackers have been discovered testing a new botnet campaign via the same C&C server.
“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.”
Researchers discovered the malware after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone which does not provide any secure Wi-Fi related service to users. Instead, it asks for various android permissions such as accessibility service, silent download permission, and user calendar access permissions.
You may be interested in reading: Triada Banking Trojan Found on 42 Models of Low-Cost Android Smartphones
The RottenSys malware operates using two evasive technique. The first one is postponing its operation for a set time to avoid the connection between the malicious app and the malicious activity.
The second evasive technique uses a dropper component which at first does not display activity. Once the device is active, it installs the dropper and contacts the command and control server. Then C&C server sends the list of additional components required for its activity.
These additional components consist of actual malicious codes which are downloaded from the command and control server after the dropper receives the list.
The malware uses two open-source projects called Small and MarsDaemon. Small is Android application virtualization framework which allows all components to run in parallel at the same time.
MarsDaemon is used to keeps the processes alive. It helps attackers to inject add even if the user closes them.
Researchers said that the botnet will have features such as silently installing additional apps and UI automation. “Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.”
The malware began infecting from September 2016 and has infected 4,964,460 devices till March 12.
At the time the malware was seen only targeting Chinese users. The top brand models impacted by the malware are Honor, Huawei, Xiaomi, Oppo, Vivo, and Meizu.
According to the analysis the malware has earned around $115k for last ten days alone. The calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.