google-site-verification: google30a059f9a075f398.html

Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE

CyberWisdom Safe Harbor Commentary on Pre-Installed Malware

Today I came across this story from that explores a hidden Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE

Security researchers have discovered and found that a large and growing malware campaign has infected almost 5 million mobile devices worldwide.

The main findings on the Pre-Installed Malware:

Since 2016, mobile advertising software RottenSys has infected nearly 5 million devices.
There are indications that malware may have entered the supply chain earlier.
The attacker tested a new botnet activity through the same C&C server.
The Check Point Mobile Security team discovered a new and widespread malware family targeting nearly 5 million fraudulent advertising revenues. They named it “RottenSys” in the samples we met, and initially it was disguised as a system Wi-Fi service.

How does Pre-Installed Malware work?

Malware Found:

Recently, an unusual self-professional system Wi-Fi service (system WIFI service) on the Xiaomi Red Mobile phone attracted our attention.  The malicious software RottenSys, known as the “System Wi-Fi Service” application, is pre-installed on millions of new smart phones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE, and in a supply chain Place to add.
All of the affected devices were shipped through Tian Tian, a mobile phone dealership in Hangzhou, but the researchers did not determine whether the company was directly involved in the event.  Our engine shows that this application does not provide users with any secure Wi-Fi related services. Instead, it requires many sensitive Android permissions, such as accessibility services that are not related to Wi-Fi services, user calendar read permissions and silent download permissions.

According to the Check Point mobile security team who discovered this activity, RottenSys is an advanced malware that does not provide any secure Wi-Fi related services, but it requires almost all sensitive Android permissions to enable its malicious activities.

“Based on our findings, the RottenSys malware began to spread in September 2016. By March 12, 2018, RothenSys had infected 4,964,460 devices,” the researchers said.
To evade detection, a fake system Wi-Fi service application initially has no malicious components and does not immediately initiate any malicious activity.
Instead, RottenSys is designed to communicate with its command and control server to get the list of required components that contain the actual malicious code.
RottenSys then downloads and installs each of them accordingly using the “DOWNLOAD_WITHOUT_NOTIFICATION” permission that does not require any user interaction.

Android hacking Pre-Installed Malware software

At this point, large-scale malware campaigns push adware components to all infected devices, which actively play ads on the device’s home screen, such as pop-up windows or full-screen ads to generate fraudulent advertising revenue.
“RottenSys is an aggressive advertising network. In the past 10 days alone, it has displayed 13,500,756 times (in the ad industry as impressions) aggressive advertising, of which 548,822 times have been converted into ad clicks.” Researcher said .

According to CheckPoint researchers, the author of the malware has surpassed $115,000 in the past 10 days alone, but the attacker has done more “damage than simply displaying unsolicited ads.”

Because RottenSys is designed to download and install any new components from the C&C server, an attacker can easily arm or fully control millions of infected devices.

The investigation also revealed some evidence that RottenSys attackers have begun to turn millions of infected devices into a large-scale botnet.
It has been found that some infected devices have installed a new RottenSys component, which provides attackers with a wider range of capabilities, including the silent installation of additional applications and UI automation.
“Interestingly, part of the botnet’s control mechanism is implemented in Lua scripts. Without intervention, attackers can reuse their existing malware distribution channels and quickly grasp the control of millions of devices.” The researchers pointed out.
This is not the first time that CheckPoint researchers have discovered top brands affected by supply chain attacks.

Last year, the company discovered that smartphones belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo and Lenovo were infected with two preinstalled malware (Loki Trojan and SLocker mobile ransomware) aimed at prying at users.

How to detect and delete Android Pre-Installed Malware?

To check if your device is infected with this malware, go to Android System Settings → App Manager and look for the following possible  malware package names:

  • (每日黄历)
  • com.changmi.launcher (畅米桌面)
  • (系统WIFI服务)
  • com.system.service.zdsgt

If any of above is in the list of your installed apps, simply uninstall it.

Read More…

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide. Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain… Engaging post, Read More…

thumbnail courtesy of

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE