Pre-Installed Malware Found on Nearly 5 Million Android Devices

A malware referred to as RottenSys has been discovered to have infected nearly 5 million devices since 2016. It is possible that the malware could have been installed on older devices as well.

Check Point Software Technologies, the company that discovered the infections, found that 49.2% of the infected devices had been shipped through Tian Pai, a Hangzhou based mobile phone distributor. At this point, it is not clear if Tian Pai is directly involved or not. The manufacturers that have been affected are Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.

The malware is disguised as a System Wi-Fi service app that has no malicious code and doesn’t initially perform any malicious activity, in order to go unnoticed. After a set amount of time, the program communicates with its Command and Controller (C&C) server to download the components required for its activity. RottenSys then is able to use multiple open-source Android frameworks to ensure the continued functionality of the RottenSys and to feed advertisements to the user. From March third to March twelfth, the malware had generated over $115,000 in ad-click revenue.

It is unclear what the developers of RottenSys plan to use their massive botnet for besides aggressively serving people ads, but they do have the ability to send any code they want to the infected phones. This means they would be able to have the phones participate in large-scale botnet attacks.

In order to remove the malware from a device, a user has to remove four separate packages.

Package Name App Name 每日黄历
com.changmi.launcher 畅米桌面 系统WIFI服务

There is nothing that consumers are able to do to prevent an attack of this nature from occurring. The only thing we can do is be extremely paranoid about the applications that come pre-installed on our phones. We need to check the permissions that the applications request and determine if the permission is something that the application should need. Of course, this is not a reasonable thing to ask of most people to do, and so most people are left at the mercy of the industry to keep their devices safe.

– Zachary Campanella


New DoubleLocker Ransomware Attacks Android Devices

Security researchers have discovered a new kind of ransomware for android that both changes the affected device’s PIN code and encrypts the files. It goes by the name DoubleLocker and is reported to use code from an old banking trojan called Svpeng. This was formerly one one of the more interesting pieces of android malware. It would overlay fake banking logins, steal money from bank accounts using sms account management, change PIN codes, and encrypt user files. Fortunately the DoubleLocker ransomware doesn’t attempt to steal any banking information. At least not yet.

DoubleLocker takes a new approach to ransomware, being the first of its kind to misuse Android’s accessibility service to gain admin rights. Once it is installed, usually through a fake flash player update, the app gives requests device accessibility permissions. If the user enables these, the app is able to simulate touches on the screen so it can make itself a device administrator and set itself as the default home app. This means that whenever the user presses the home button, the malware is re-launched. The app uses its administrator rights to change the PIN code on the phone and encrypt all of the user files to .cryeye files with a random key stored at a remote location.


Once running, the app shows a ransom request for 0.013 BTC (about $70) like this one, which when paid will remotely decrypt the phone and remove the PIN lock.

There are a few ways to protect yourself from these kinds of attacks. For one, Flash Player for mobile is dead so don’t be trying to update it. More generally, however, you should

  • Only install apps from trusted sources
  • Keep the “Unknown Sources” checkbox off unless you have a very good reason to turn it on. Always turn it back off right afterwards.
  • Keep an antivirus app on your smartphone


Sources used:


~ Daniel Monteagudo

Is your phone really locked?


Recently, new information has been discovered regarding lock screen vulnerability on certain Android products. “Google recently issued a patch for Nexus mobile devices to fix an Android Lollipop vulnerability that lets hackers bypass the lock screen and gain control of mobile devices. However, it could take weeks to months for manufacturers and service providers to roll out the patch for other Android devices.” University of Texas security researcher John Gordon was the person to discover this exposure of information.

Locking methods of the pattern or PIN lock do not provide a text field. The hack needs text pasted into that field to crash the lock screen so the safest thing to do is to use one of those two methods of securing your cell. “Lock screen security in general is iffy, lock screen vulnerabilities happen on all mobile operating platforms,” Lysa Myers, a researcher for Eset told LinuxInsider.

Many owners of these types of phones may ignore this recent news as they fell they have set a tricky password to crack but that is no deterrent to these hackers. “This is a major threat. Even when users feel confident about locking their phone with a strong password, if their device is exposed to this exploit, it does not really matter how strong the password is,” said Armando Leon, director of mobile at LaunchKey.

Overall, it could take many months for most users to receive the patches. As these patches are slowly getting out to the users at such a slow speed there is not any measures in place to stop these hackers from bypassing a persons lock screen and going straight to their home screen. This results in loss of personal data as well as huge inconvenience to the owner.


Lisa Ann Hornak

Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used:

Android Malware Fakes Shutdown, Steals Data

A new type of Android malware is able to hijack your phone’s shutdown process to fake being turned off. Once in this false shutdown this malware is used to steal data and use the phone’s services. The phone must be rooted to be vulnerable to this exploit.

Researchers at AVG found the malware and posted information about it to their blog on February 18, 2015. When an infected phone is being shutdown a fake dialog box appears giving the user what appears to be standard options. When shutdown is selected the malware plays a fake shutdown sequence and appears to be turned off. Once in this state the victim’s phone can be accessed and used to make calls, take pictures and transfer data without the victim’s knowledge.

According to AVG the malware has been spread to at least 10,000 Chinese devices so far through third-party app sites. They have reported that the malware can affect devices with any Android OS prior to version .5 (Lollipop) and the phone must be rooted.

The exploit involves the ShutDownThread.shutdown function and mWindowManagerFuncs.shutdown interface object. The malware tries to gain root permissions and once successful injects a modified system_server process to hijack the stock shutdown function. It then listens for the power key button to be called at which point it launches it’s own fake dialog box.

Jacob R Hooker