Detecting pre-installed malicious software on 5 million popular Android phones
Security researchers have discovered a massive campaign of growing malware, which has already infected nearly 5 million phones worldwide.
The software, discovered by RottenSys, has been installed on the millions of new phones from Honor, Huawei, Xiaomi, Oppo, Vivo, Samsung and Gionee. Tian Pai shipped all these damaged devices, but researchers are not sure whether the company has directly participated in the campaign.
According to the Check Point Mobile Security team that discovered this campaign, RottenSys is an advanced malware that does not provide any secure Wi-Fi-related service; it takes all sensitive Android permissions to enable harmful activities. According to what they found, RottenSys malicious software began to spread in September 2016. By March 12, 2018, 4664460 devices were infected with RottenSys software.
In order for software not to be detected, the fake WiFi service comes first without any harmful elements, and no malicious activity starts immediately. RottenSys software is designed to communicate with command and control server servers to get the list of required components, which contain the actual malicious code. The software then loads and installs the icons using the download command without notifications DOWNLOAD_WITHOUT_NOTIFICATION, which requires no user interaction.
Now the massive malware campaign is driving an intrusive ad component to all infected devices, displaying ads compulsively on the device's main screen like pop-ups or full-screen ads to generate fraudulent ad revenue.
The researchers explained that RottenSys is an offensive advertising network. In the last 10 days, it has shown offensive ads 13250756 times, of which 548822 have been converted to clicks on ads to generate revenue. The hackers have managed to earn more than $ 115,000 in the last 10 days, but they seem to be paying more harm than just making ads compulsory, they said.
Because of the RottenSys design to download any new components and install them from the channel server commands and controls, hackers can have full control over millions of infected devices. The investigation also revealed some evidence that hackers had already begun to convert millions of infected devices into a massive botnet network. Some infected devices have installed a new RottenSys component that gives attackers broader capabilities, including installing additional applications and switching the user interface to run automatically.
The researchers pointed out that part of the mechanism of botnet control has been integrated into Lua scripts, and if not intervention, hackers can reuse their existing distribution channel and control the control of millions of devices.
Source
No comments