RottenSys is an Android adware identified by researchers at Check Point, found pre-installed on nearly 5 million mobile devices worldwide manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung, and GIONEE. The malware, which is disguised as a Wi-Fi security app/service, requests Android permissions, including the DOWNLOAD_WITHOUT_NOTIFICATION permission, allowing for the malware’s C2 server to download additional components without user interaction or notification. RottenSys is able to execute the components simultaneously using an open-source Android framework, allowing ads to be displayed on the infected devices’ home screen. The MarsDaemon framework is also used by the malware to ensure that, even if the process is force-stopped, the operations will resume.  Using a C2 server to download malicious components at any time, RottenSys turns the mobile device into a botnet that can be used to further spread malware.

All users of Android devices should look for the common indicators of compromise (IoCs) on their phone by following these steps. In the Settings menu, users should find the app manager UI and look for any of the following package names and uninstall them immediately:

• Com.android.yellowcalendarz
• Com.changmi.launcher
• Com.android.services.securewifi
• Com.system.service.zdsgt

Technical Details

• Check Point provides technical analysis of the RottenSys malware, here.