Story image

Five million Android devices possibly infected with 'aggressive' pre-installed adware

21 Mar 18

Almost five million Android mobile devices may have pre-installed with an adware called RottenSys – and security researchers suspect distributors may have played a part in the saga.

Check Point researchers Feixiang He, Bohdan Melnykov and Elena Root posted in a blog last week that the RottenSys mobile adware could have been installed in the devices’ supply chains since 2016.

They claim Honor, Huawei and Xiaomi devices are most affected by the ‘extremely aggressive ad network’. As of March 12 2018, 4,964,460 devices were infected by RottenSys.

When the researchers analysed the malware’s distribution channels, two names suggested a possible connection with Hangzhou-based mobile phone supply chain distributor Tian Pai.

“Tian Pai related channels contribute 49.2% of the total number of infested devices that we observed. According to China National Enterprise Credit Information Publicity System, Tian Pai offers a wide range of services from presales customization, online/offline wholesale to customer care. It covers regional sales of top brands in the market such as Samsung, HTC, Apple, Xiaomi, ZTE, Coolpad, Lenovo, and Huawei,” researchers state.

“Tian Pai may not be a direct participant in the campaign. Yet, this correlates with our hypothesis that the malware entered the user’s device before purchase.”

The RottenSys adware can manifest in a number of ways. On one Xiaomi Redmi device the malware was disguised as ‘System WiFi service’ – a service that does not provide any WiFi services but instead asks for Android permissions including user calendar read access, silent download permission and accessibility service permission.

The malware uses the Tencent ads platform (Guang Dian Tong) and Baidu ad exchange to conduct its ad fraud.

Check Point researchers say the malware uses two techniques to evade detection. It postpones its operations between the app and its actions to avoid connection. It also contains a dropper component that doesn’t contain any malicious activity.

However, when the device is activated and dropper is installed, it contacts its command & Control server that downloads the malicious code.

RottenSys also relies on an open source framework called MarsDaemon. The framework hinders device performance and contributes to battery drain. The framework is available on GitHub.

Chinese Android users have complained about RottenSys’s side effects and its tendency to display ‘aggressive’ home screen advertisements.

“In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks.”

Those ads could be bringing in 20 cents per each click and 40 cents for each thousand impressions – resulting in more than $115,000 in revenue for attackers.

Researchers suggest that attackers are also using the same command and control server to test a new botnet campaign since February this year.

“The attackers plan to leverage Tencent’s Tinker application virtualization framework as a dropper mechanism. The payload which will be distributed can turn the victim device into a slave in a larger botnet,” they explain.

“This botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices.”


If your brand new phone is suffering from unknown ads on the home screen, please go to Android system settings, then to app manager, and look for the following possible malware package names and uninstall them:

CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Game review: Just Cause 4 on PC
Rico Rodriguez returns to wreak over-the-top havoc for a fourth time. This time the island nation of Solís is our hero’s sandbox, ripe for destruction.
Hands-on review: Logitech G502 HERO gaming mouse
My favourite feature of the G502s is the ‘Sniper’ button, which is found on the left hand side of the device. When held, this lowers the DPI and allows you to achieve maximum accuracy whilst honing in on a kill on your favourite FPS title.
Interview: ZeniMax Online's game director talks Elder Scrolls Online
FutureFive’s Darren Price sat down with Matt Firor, ESO’s designer and now president and game director at ZeniMax Online.
IDC: Tablets stay dead, notebooks keep head above water
An IDC report predicts a soft personal PC market, slipping into further decline with the exception of notebooks, gaming PCs, and business PC upgrades.
A hands-on guide to Christmas shopping by Santa’s IT elf
Ho, ho, ho! So you’re back again for more inspiration for that hard-to-buy-for person in your life?
Govt commits $15.5m to digital identity research
“With more and more aspects of our lives taking place online it’s critical the government takes a lead to ensure New Zealanders have control of how and who uses their identity information,” says Minister Woods.