Mais uma vez, o Android é vulnerável a um malware sério, e desta vez a escala da infecção é maior do que se poderia imaginar. Os pesquisadores de segurança se depararam com uma enorme, campanha incessante que infectou cerca de 5 million mobile devices on a global scale. The malware has been dubbed RottenSys.
Attackers have concealed it as a System Wi-Fi Service app that was pre-installed on millions of new devices by widely-spread brands like Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung, and GIONEE. The devices have been shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but it is not known whether the company has anything to do with the malicious campaign.
More about the RottenSys Android Malware Campaign
Researchers from the Check Point Mobile Security Team descoberto a new widespread malware family targeting nearly 5 million users for fraudulent ad revenues. Pelo visto, this is an advanced malware designed to take over Android permissions to initiate its pernicious operations.
De acordo com as descobertas, the malware began distributing in September 2016. By March this year, it has infected 4,964,460 dispositivos, making it one of the largest Android malware campaigns.
How Is RottenSys Bypassing Detection?
The malicious actors behind the operation obviously know what they are doing as the fake System Wi-Fi service app doesn’t have malicious components at first. It also doesn’t initiate any suspicious activities and stays quiet for a while. Instead of an aggressive behavior, the malware is communicating with its command and control server to obtain the list of the components actually containing malicious code.
Então, the RottenSys malware continues with downloading the malicious components silently, via the DOWNLOAD_WITHOUT_NOTIFICATION permission which does not require any user interaction. Tipicamente, the malware downloads three additional components.
Once all the needed components are downloaded, RottenSys deploys an open-sourced Android application virtualization framework called ‘Small’ (github.com/wequick/small). The framework enables all the components to run simultaneously to achieve the combined malicious functionality of an extensive rough ad network that displays advertisements on the device’s home screen in the form of either pop-up windows or full screen ads, os pesquisadores explicaram.
To avoid having its operation shut down by the Android system, RottenSys uses another open source framework called MarsDaemon (github.com/Marswin/MarsDaemon). While MarsDaemon keeps processes alive, it also hinders the device’s performance and drains the battery.
It is also worth noting that RottenSys is adapted to employ the Guang Dian Tong (Tencent ads platform) and Baidu ad exchange for its ad fraud operation. além disso, the researchers say that the malware has quite a few variants of the payloads (the dropper and the additional components), and each variant is tailored for different campaign, tipo de dispositivo, advertisement platform, and spread channel.
The researchers identified two parallel C&C servers which were used by RottenSys for its operation. They “also managed to analyze the attacks and define separate channels in which the attackers operate and even ascertain the volume of infected devices and fraudulent ads displayed to users”.
The bottom line is that the RottenSys operation is an extremely aggressive ad network:
No passado 10 days alone, it popped aggressive ads 13,250,756 vezes, e 548,822 of which were translated into ad clicks. As an example for the possible revenue stream attackers enjoy from this malware, nós [Os pesquisadores] calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for each thousand impressions. According to these calculations, the attackers earned over $115k from their malicious operation in the last ten days alone!
What Can Be Done to Mitigate RottenSys?
Users should uninstall the RottenSys dropper. Contudo, the exact package name should be known so that it is removed completely. If you are experiencing unknown ads on the home screen of your brand new phone, go to Android system settings, then to app manager, and locate the following possible malware package names. Then uninstall them: