Israel based Check Point Security found a malware family RottenSys in several Chinese smartphones. This was disguised as a Wi-Fi service and helps attackers earn revenue through forceful ads
The company confirmed that the malware started in September 2016. It also said that Honor, Huawei and Xiaomi are top brands affected with this malware. They also confirmed the number of affected devices. They found 4,964,460 affected devices by March 2018.
These are the most targeted devices.
Researchers from Check Point Security found a Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone . It was asking for many sensitive Android permissions such as silent download permission, user calendar read access and accessibility service permission. These are not something a Wi-Fi service uses.
RottenSys uses two evasion techniques. It postpones its operation for a set time to avoid connection between malicious activities or app. Second is that is does not show any malicious activity at first and comes with just a dropper component. It installs the dropper later when the device is active.
Then it starts downloading the necessary components. It use RottenSys uses an open-sourced Android framework ‘Small’. It is an Android application virtualization framework that allows all components to run alongside each other at the same time. It also uses another open source framework called MarsDaemon that keeps processes alive. It is to ensure that processes are not being shut down by the Android system.
This malware is basically adware to show ads on smartphone and earn. It shows aggressive ads to earn decent amount. It is displays advertisements on the device’s home screen, as pop-up windows or as full screen ads.
There are several people complaining about heavy ads on their devices. Check Point also posted screenshots of such complaints.
Now Indian people could be most affected where Xiaomi and Honor have sold notable numbers of devices. Redmi Note 4, Redmi 4 were two most selling devices of 2017. Honor also sold notable numbers of Honor 6X. At this moment, it is not clear if devices being sold in India are also infected. We have also not seen such complains from Indian consumers.
