Mobile Adware RottenSys Can Infect Android Devices to Become Part of a Botnet

Security researchers came across an adware they named RottenSys (Trend Micro detects this family as ANDROIDOS_ROTTENSYS) that has reportedly affected nearly 5 million Android devices since 2016. Named after a sample they analyzed, RottenSys has 316 variants so far, each customized for the operators’ campaigns and targeted advertisement platform and distribution channel. Further probing into RottenSys revealed that operators were experimenting on it for a new campaign that turns the affected devices into becoming part of a botnet

[TrendLabs Research: The 2017 Mobile Threat Landscape]

How does RottenSys work?

RottenSys is disguised as a Wi-Fi security app/service and asks for Android permissions. Once installed, it connects to its command-and-control (C&C) server after a timed delay — one of the ways RottenSys evades detection. Another is how the adware contains only a dropper component that doesn’t conduct any malicious routine by itself. Here is how RottenSys works:

  1. Once installed, the dropper will communicate with the C&C server.
  2. The C&C server sends a list of other components needed to perform its routines. They are retrieved using the DOWNLOAD_WITHOUT_NOTIFICATION permission, which means the unwitting user is not alerted.
  3. RottenSys will use an open-source Android framework, which lets all the components execute simultaneously (i.e., displaying ads in the device’s home screen).
  4. RottenSys will abuse a framework called MarsDaemon to keep processes alive. This ensures that RottenSys’ operations resume even if its process is force-stopped.

[From TrendLabs Security Intelligence: GhostTeam Adware can Steal Facebook Credentials]

What is RottenSys’ impact?

MarsDaemon affects the device’s performance and can significantly drain its battery. But more than increasing wear and tear, the researchers found that RottenSys’ operators may have already earned more than US$115,000 within a span of 10 days.

As a botnet malware, it enables operators to enslave the devices and surreptitiously install more applications. These render the affected devices themselves a catalyst for further spreading malware.

[READ: Toast Overlay Weaponized to Install Several Android Malware]

How can users mitigate RottenSys?

Users can uninstall RottenSys by going to the device’s system settings. Under the app manager UI, look for these package names and uninstall them:

  • com.changmi.launcher
  • com.system.service.zdsgt

[DevOps Security: Mobile App Security for Developers]

Indeed, RottenSys is just the latest among the ever-growing list of potentially unwanted applications, particularly adware. While adware used to be limited to being a nuisance, their diversity and maturity in the threat landscape mean they are projected to steal more than user browsing habits or consume more resources. Users need to be more discerning of the apps they download and practice security hygiene. Organizations with BYOD policies, where both personal and corporate data are accessed in the same device, should balance flexibility and productivity with security and privacy.

Trend Micro Solutions

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (also available on Google Play). Trend Micro™ Mobile Security for Enterprise provide device, compliance and application management, data protection, and configuration provisioning, as well as protect devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.