Malware disguised as Secure Wi-Fi Service pre-installed on 5m smartphones

Android / Mobile / Security / Tech

The three most popular brands targeted are Honor, Huawei, and Xiaomi with phones by OPPO, vivo, Meizu, LeEco, Coolpad, GIONEE, and even Samsung making the list.

Image courtesy Check Point Research

At one point in time, malware seemed to be localized to Windows computers. Over the past few years, it has also become prevalent on other devices, including mobile devices. According to Check Point Research, the latest malware is an adware program that has supposedly infected over 5 million (mostly) Chinese-made smartphones since September 2016. The three most popular brands targeted are Honor, Huawei, and Xiaomi with phones by OPPO, vivo, Meizu, LeEco, Coolpad, GIONEE, and even Samsung making the list.

Fig7-1

The number of devices for each brand affected by RottenSys (image courtesy Check Point Research).

The malware in question has been dubbed RottenSys and masks itself as a “Secure Wi-Fi Service” on infected devices. The malware works by displaying ads which allow the attackers to collect on a per click and per thousand impressions basis. Check Point Research found that in a period of 10 days earlier this month, RottenSys served up 13,250,756 ads which were clicked over 500,000 times which results into $115,000 of earnings for the attackers.

As best as Check Point Research can tell, just under half the infected phones came through Tian Pai, a mobile phone supply chain distributor based out of Hangzhou. While these devices appear to be shipping before purchase with the adware installed, they were quick to mention that Tian Pai may have no knowledge of the pre-installed malware. For the full technical analysis of RottenSys, hit up the link at the bottom of this post.

To check if your device is infected with RottenSys, go to Android system settings→ App Manager, and then look for the following possible malware package names:

  • com.android.yellowcalendarz
  • com.changmi.launcher
  • com.android.services.securewifi
  • com.system.service.zdsgt

If any of above is in the list of your installed apps, simply uninstall it.

We do have an Honor 7 that we’re currently reviewing and can confirm that we did not find any of those package names installed on our review device. It’s quite possible this adware is only affecting devices in some markets outside the U.S., but it never hurts to check — especially if you bought a device from one of the affected vendors over the internet.

Do you have one of the phones that were infected with RottenSys? Let us know in the comments below or on Google+, Twitter, or Facebook.

  Source: Check Point Research
Comments
To Top