Five Million Android Mobile Devices Pre-Installed With 'Aggressive' malware
Advanced malware disguises itself as a 'System Wi-Fi service', and came pre-installed on millions of Android mobile phones...
Android malware is not a new topic, indeed the rise in overall volume has been well documented - the number of unique mobile malware samples increased to 108,439 in 2017, a rise of 94 per cent over 2016, according to a recent Trend Micro report.
However, a new malware family has been spotted by researchers that has taken an unusual route to propagation, and has also been phenomenally successful, having infected nearly 5 million devices since 2016. The malware is currently configured to generate fraudulent ad revenue, and the researchers estimate that the attackers earned over $115k from their malicious operation in the last ten days alone.
The first unusual element in the ‘RottenSys’ malware makeup is that it appears to have been pre-installed on a wide range of Android smartphones from Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE. It initially disguises itself as a System Wi-Fi service, according to the Check Point Mobile Security Team, and asks for a slew of sensitive Android permissions such as accessibility service permission, user calendar read access and silent download permission, which are clearly not required for a normal Wi-Fi service.
"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times, and 548,822 of which were translated into ad clicks," said the Check Point researchers.
RottenSys uses evasion techniques, one of which is a simple delay before beginning operations to avoid users connecting the malicious app and the malicious activity. The second is the classic ‘dropper’ technique, where the malware itself is not malicious and does not exhibit malicious activity, until it contacts its Command and Control (C&C) server and downloads components silently, using the DOWNLOAD_WITHOUT_NOTIFICATION permission in Android. After download the malware runs an open-sourced Android framework called ‘Small’ (github.com/wequick/small) that allows all components to run alongside each other at the same time, which currently results in a flurry of advertisements on the device’s home screen, either as pop-up windows or as full screen ads.
While this activity does not immediately compromise user data, the researchers found that the attackers have been testing a new botnet campaign via the same C&C server, raising the prospect of wider campaigns and more malicious activity in the future.
“The botnet will have extensive capabilities including silently installing additional apps and UI automation. Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of Android devices”, summarised the researchers.
Ilia Kolochenko, CEO, High-Tech Bridge warned that the value of a mobile device to attackers is only increasing: “Compromised mobile phones are even more critical than a personal computer or account on a website. Users tend to store huge amount of personal and very sensitive data on their mobile devices, including their photos, financial information, passwords for dating and health apps, access codes for the offices, and even strictly confidential data of their employers. A compromised mobile device can lead to irreparable harm in terms of financial and reputational damage.
“Users were reluctant to update their Windows XP machines fifteen years ago, now they demonstrate the same carelessness towards their mobile phones. If nothing changes then cybercriminals will skyrocket their illicit income from ransomware, blackmailing, and data theft affecting mobile phones.
“Continuously keeping your mobile phone up to date, avoiding jailbreaking (iPhone) and rooting (Android) devices, and finally prudence when installing new apps are simple precautions can prevent 99 per cent of attacks against your mobile crown jewels.”
Mobile ransomware is certainly on the rise, as are banking-related Trojans. Trend Micro's 2017 Mobile Threat Landscape report detailed a 94 per cent rise in the number of unique mobile banking malware samples spotted in 2017.
High-Tech Bridge recently launched a free online service “Mobile X-Ray” to test mobile application security and privacy. It detects a wide spectrum of common weaknesses and vulnerabilities, including OWASP Mobile Top Ten, and provides a user-friendly report with remediation guidance. The tool has scanned more than 73,000 apps to date, discovering that the most common OWASP mobile top 10 flaws exhibited in the apps scanned are improper use of platform (31 per cent), followed by insecure data storage (20 per cent), then insufficient cryptography (14 per cent) and finally poor code quality at 14 per cent and extraneous functionality at 12 per cent.