Nearly 5 million Android phones are infected with malicious advertising viruses, all of which are recruited.

Nearly 5 million Android phones are infected with malicious advertising viruses, all of which are recruited.

Where the user is, where the oil and water are.

Black industry practitioners have a thorough understanding of this "golden science and technology.

Think back to the questions you encountered when using your computer. Are you moving them to your mobile phone gradually?

For example, mobile phones sometimes get stuck and run slowly; there are always annoying ad pop-up windows; some programs are secretly stealing your privacy information ......

Recently, the security company CheckPoint found multiple mainstream Android mobile phones in China, which are being pushed by malicious mobile phone advertisements produced by the same group. The targets include honor, Huawei, Xiaomi, OPPO, and vivo.

How did these malicious programs intrude into mobile phones? What are the symptoms of mobile phone opportunities? How can I find the target? Listen to Lei Feng's analysis for you.

RottenSys, a wolf in sheepskin

Since this incident started with a malware disguised as an Android system service, the CheckPoint security team named it RottenSys ).

The process of discovering this malware is also tortuous.

The author found that at the beginning, security researchers found that many users spoke about the slow speed of their mobile phones and always received the prompt that the "System WIFI service" crashed, this is not surprising, but if multiple mobile phones have such problems, it will be a bit strange.

Taking Xiaomi as an example, since the end of last October, many users have pointed out this issue in the Forum, but almost all of them blamed the system. It can be said that RottenSys's strategy of impersonating system software is quite successful.

However, when researchers view the digital signature certificate of the relevant program, they find that it does not belong to any known Xiaomi mobile ecosystem certificate. At the same time, it does not have any system Wi-Fi-related functions.

Since it is not a built-in system, how does a malicious program intrude into a user's mobile phone?

After the CheckPoint researchers carefully observe the installation information of the "System WIFI service" and analyze a large amount of additional data, it is suspected that the malware may be installed after the mobile phone leaves the factory or before the user purchases it.

According to CheckPoint, almost half of infected mobile phones are bought by China's telephone distributor TianPai, and employees of the reseller may take advantage of the mobile phone to reach users, install some applications infected with RottenSys on the device.

About 0.35 million mobile phones are repeatedly pushed to malicious advertisements every day.

Based on an in-depth analysis of known data, CheckPoint believes that the RottenSys gang launched the crime in September 2016, but it did not immediately start the crime. Instead, it took time and effort to adjust the crime, making it more lethal.

In an interview, the security research team admitted that although we have seen many Android malware before, such a large scale of devices are infected and rare. The reason why hackers can succeed this time is that, they also benefited from the two open-source projects on GitHub.

One is the Small open-source architecture developed by Wequick. It can load hidden malicious modules. After the initial virus activation of RottenSys, three malicious modules will be downloaded and loaded from the hacker server silently, in one to three days, you will try to receive and push pop-up advertisements.

Another is the open-source project MarsDaemon, which can help malicious programs stay on the system for a long time and prevent android from shutting down its background programs. Even after users close them, they cannot close the ad injection mechanism.

After "equipment" was in place, the gang experienced explosive growth in July 2017. According to CheckPoint statistics:

As of March 12, 2018, the total number of infected Android phones was as high as 4.96 million. About 0.35 million infected mobile phones were repeatedly attacked by malicious advertisement push every day.

Distribution of infected mobile phone brands (top 5): glory, Huawei, Xiaomi, OPPO, and vivo.

During the 10-day period from January 1, March 3-12, The RottenSys group forcibly pushed more than 13.25 million advertisement presentations to victims, and obtained more than 0.54 million ad clicks. Conservatively estimated improper advertising revenue is about 0.72 million RMB.

I spent money to buy a mobile phone. In the end, I had to suffer from advertising harassment and exploitation by distributors.

Troubleshooting of affected users

People all over the world are using Android. Why do Android machines in our country always lie down?

It is reasonable to say that Apple and Google are both powerful and rich companies, and the security of ios and Android should not be so much worse.

An important point is that Chinese users cannot download applications on the official Googleplay if they do not have a ladder, most of the time, you have to download the App Store provided by mobile phone manufacturers. For example, Xiaomi users will download the App Store from Xiaomi, While Huawei users will download the App Store from Huawei ...... In terms of security, their respective vendors are required for security protection.

What's more, most users do not know the proper Android security best practices and often install apps from third-party stores, which increases the chance of infecting malicious programs.

I found that, taking this RottenSys as an example, The only weakness of the internal operation mode of Such malware is the installation process. Applications infected with RottenSys often require a huge list of permissions, users with high security awareness can easily discover and Avoid installing these applications. However, unfortunately, not all Android users are aware of privacy, and most daily users tend to provide all the permissions required for the application.

Fortunately, in most cases, the initial malware of RottenSys is installed in the ordinary storage area of the mobile phone (rather than the system protection area), and the affected users can uninstall it on their own. Security researchers suggest that if you suspect that you may be a victim of RottenSys, you can try to find and uninstall the following software in App management set for Android: