RottenSys, the name of a strain of malware, is being used in a Chinese malware operation that was building a huge botnet of almost 5 million Android devices. This Android malware in its current form is being utilized by the crooks to display ads on infected devices quite aggressively. However, it seems that the cybercriminals behind this strain of malware are deploying a new module written in Lua to gather all the infected Android devices to form a massive botnet based on the pieces of evidence found by a security firm called Check Point.
“This botnet will have extensive capabilities including silently installing additional apps and UI automation,” stated by the researchers from Check Point, they fear that the crooks behind RottenSys might get unabashed and take advantage of this Android malware for more nefarious purposes that could cause more damage to the devices and users rather than just displaying intrusive ads into the infected devices.
RottenSys has been active since 2016. However, it wasn’t always this dangerous. This malware was first spotted way back in September 2016 where cybercriminals were busy spreading the malware to new devices. And it seems that the number of time crooks used to spread the malware has been paid off as the number of RottenSys victims increased as time goes by – according to the security firm, Check Point, RottenSys has infected approximately 4,964,460 Android devices.
Although the malware isn’t new, its dangerous botnet component which was recently added last month of February this year gives crooks control over all the infected devices.
Based on the ad impressions that the researchers were able to observe during their analysis of the Android malware, they have estimated that the cyber crooks behind RottenSys are making around $115,000 every ten days.
This Android malware is currently active only on the Chinese market where it is bundled in Chinese apps and has been infecting mostly phones that are popular in the local market like Huawei which has reached over 1 million infected devices, Xiaomi which has reached almost a million devices and other brands like OPPO, vivo, LeEco, GIONEE and Coolpad.
Even though there have been other Android malware groups observed before, only a few have managed to infect such huge number of Android devices. The reason why it seems so is found in the malware’s code. As per the analysis, RottenSys uses two open-source projects that are both shared on GitHub – Small, which is an application virtualization framework and a library called MarsDaemon that keeps apps “undead”.
During its attack, the first thing that this Android malware does is use Small in creating virtualized containers used for its internal components and allows them at the same time to run in parallel as well as help the malware with the app delivery process. This is something that the Android operating system does not support natively. In the second part of its attack, RottenSys uses MarsDaemon in keeping the processes alive even after a user closes them. This gives the malware an assurance that the ad-injecting mechanism cannot be turned off. So far, the malware’s only weak point in its internal mode of operation is the installation routine. Why? Well, mainly because apps that are infected with the malware tend to ask for so many permissions from the users. So if users pay close attention to their devices, they can easily spot the malware and avoid installing the malware-laden apps. Sad to say, not all Android users care much about details and doesn’t seem to be privacy-conscious so they end up being one of the 5 million devices infected with RottenSys. And need I remind you – Google Play Store is not available in Chine so you can really expect that not all users in that country are well-informed of the proper Android security measures to take in installing apps from third-party sources.
In addition, according to the evidence found by researchers from Check Point, almost half of the infected Android devices have been purchased through a China-based phone distributed named “Tian Pai” which suggests that either a group or an employee might be the ones responsible for installing some of the apps infected with RottenSys on the users’ devices before the purchase.
Note that even though RottenSys mainly targets the Chinese region, it does not change the fact that it could also infect other users all over the globe as it uses Small and MarsDaemon apps that might have become popular among other malware strains. Moreover, it is also not clear how the cyber crooks behind this Android malware might use the botnet that they have recently created, though we might see it being used for DDoS attacks just like the WireX crew has used their botnet right before it was shut down by security firms and law enforcement groups.
Below is a table containing the list of apps infected with RottenSys:
Package Name
Package name | Name of the App |
com.android.yellowcalendarz | 每日黄历 |
com.changmi.launcher | 畅米桌面 |
com.android.services.securewifi | 系统WIFI服务 |
com.system.service.zdsgt |