Security researchers came across an adware they named RottenSys (Trend Micro detects this family as ANDROIDOS_ROTTENSYS) that has reportedly affected nearly 5 million Android devices since 2016. Named after a sample they analyzed, RottenSys has 316 variants so far, each customized for the operators’ campaigns and targeted advertisement platform and distribution channel. Further probing into RottenSys revealed that operators were experimenting on it for a new campaign that turns the affected devices into becoming part of a botnet.
RottenSys is disguised as a Wi-Fi security app/service and asks for Android permissions. Once installed, it connects to its command-and-control (C&C) server after a timed delay — one of the ways RottenSys evades detection. Another is how the adware contains only a dropper component that doesn’t conduct any malicious routine by itself. Here is how RottenSys works:
Once installed, the dropper will communicate with the C&C server.
The C&C server sends a list of other components needed to perform its routines. They are retrieved using the DOWNLOAD_WITHOUT_NOTIFICATION permission, which means the unwitting user is not alerted.
RottenSys will use an open-source Android framework, which lets all the components execute simultaneously (i.e., displaying ads in the device’s home screen).
RottenSys will abuse a framework called MarsDaemon to keep processes alive. This ensures that RottenSys’ operations resume even if its process is force-stopped.
MarsDaemon affects the device’s performance and can significantly drain its battery. But more than increasing wear and tear, the researchers found that RottenSys’ operators may have already earned more than US$115,000 within a span of 10 days.
As a botnet malware, it enables operators to enslave the devices and surreptitiously install more applications. These render the affected devices themselves a catalyst for further spreading malware.
Indeed, RottenSys is just the latest among the ever-growing list of potentially unwanted applications, particularly adware. While adware used to be limited to being a nuisance, their diversity and maturity in the threat landscape mean they are projected to steal more than user browsing habits or consume more resources. Users need to be more discerning of the apps they download and practice security hygiene. Organizations with BYOD policies, where both personal and corporate data are accessed in the same device, should balance flexibility and productivity with security and privacy.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).