RottenSys
Mobile adware can be a very lucrative scheme for cybercriminals who find a way to reach millions of devices – of course, this is the difficult part, and it is rare that we get to see Android adware families that have infected millions of devices. Unfortunately, such campaigns exist, and they usually rely on a wide range of evasive techniques to make sure that the operation will stay under the radar for as long as possible. RottenSys is an Android adware family that is believed to have affected over 5,000,000 Android devices, the majority of which are concentrated in China. What is special about this adware is that it may not need to be installed by the user necessarily – in many cases, the RottenSys was found on newly purchased devices, so it is possible that a supply-chain attack might have been used to plant the threatening component.
RottenSys usually poses as a WiFi service that demands to receive a long list of permissions from users – many of its requests have nothing to do with WiFi, and tech-savvy users are likely to notice that there is something fishy going on when a WiFi application asks them to download files, use notifications, manage wallpapers, manage device settings and more. In fact, the RottenSys adware asks for over 30 different permissions.
The RottenSys Adware might Have Been Planted before the Phones Hit the Shelves
Once active, RottenSys will not carry out its assigned tasks immediately. Instead, it will wait for a random period before doing anything – this way, the user might not make the connection between the fake WiFi service and the sudden influx of undesired advertisements. The second trick that the Android adware uses is that it does not have all of its components ready-to-use – instead, it will connect to a remote Command and Control server and fetch the rest of the components it needs silently. The download will not be visible since RottenSys demands the 'DOWNLOAD_WITHOUT_NOTIFICATION' permission. Once these two situations have been met, the RottenSys will get to work and start displaying advertisements on the home screen, notifications menu and Web browser.
The campaign reached its peak activity in July 2018 when there were a total of 800,000 newly infected devices. Cybersecurity experts that were observing the campaign at the time noticed something worrisome concerning the Command and Control server – it appeared to host a botnet framework that was being tested by its operators. This might mean that the RottenSys was being prepared to do more than to simply display advertisements.
The presence of the RottenSys on your device may be accompanied by various issues apart from the annoying advertisements – many users affected by the adware had reduced battery life and system performance significantly. The recommended way to deal with the RottenSys and other Android adware is to use a sophisticated mobile anti-malware service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.