The RottenSys botnet is already composed of nearly 5 million Android devices

RottenSys – A Chinese crime ring is building a huge botnet that is already composed of nearly 5 million Android device.

Researchers at Check Point discovered attackers infecting the device with a strain of malware dubbed RottenSys that aggressively display ads on victims’ devices.

“The Check Point Mobile Security Team has discovered a new widespread malware family targeting nearly 5 million users for fraudulent ad-revenues. They have named it ‘RottenSys’ for in the sample we encountered it was initially disguised as a System Wi-Fi service.” reads the analysis of Check Point.

The experts started the investigation after finding an unusual self-proclaimed system Wi-Fi service (系统WIFI服务) on a Xiaomi Redmi phone. The researchers discovered the service does not provide any secure Wi-Fi, instead, it asks for many Android permissions.

The RottenSys malware implements two evasion techniques:

  • The first technique consists of postponing operations for a set time.
  • The second technique uses a dropper which does not display any malicious activity at first. Once the device is active and the dropper contacts the Command and Control (C&C) server which sends it a list of additional components required for its activity.

The malicious code relies on two open-source projects:

  • The Small  virtualization framework. RottenSys uses Small to create virtualized containers for its components, with this trick the malware could run parallel tasks, overwhelming Android OS limitations.
  • The MarsDaemon library that keeps apps “undead.” MarsDaemon is used to keep processes alive, even after users close them. Using it the malware is always able to inject ad.

According to the experts, the botnet will have extensive capabilities including silently installing additional apps and UI automation, there is the risk that crooks will use it to carry on more dangerous activities such as ransomware distribution.

“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.” continues the analysis.

The RottenSys malware was first spotted in September 2016, the number of victims grew across the time, today the number of infected systems is 4,964,460.

At the time, the malicious code only targets the Chinese users, it is bundled in Chinese apps and it is infecting mostly phones mobile devices, such as Huawei, Xiaomi, OPPO, vivo, LeEco, and Coolpad.

RottenSys chart 2.png

Attackers are financially motivated, according to Check Point botnet operators are currently making around $115,000 every ten days. The experts calculated the revenue from these impressions and clicks according to the conservative estimation of 20 cents for each click and 40 cents for every thousand impressions.

Further info is included in the report published by Check Point.

Pierluigi Paganini

(Security Affairs – RottenSys, botnet)


The post The RottenSys botnet is already composed of nearly 5 million Android devices appeared first on Security Affairs.



Leave a Reply