Android malware RottenSys found in 5 million devices

A new type of malware was recently discovered by researchers at Check Point. Dubbed RottenSys, it came preinstalled on several Android phones from brands such as Honor, Xiaomi, Samsung, among others, having been found in over 5 million devices. It aggresively displays ads on the infected device earning the attackers responsible over $100000 in ad revenue in just over a week. If not quickly mitigated researchers are worried it could be used as a botnet.


RottenSys—Pre-installed Android malware

Researchers at Check Point recently discovered a new type of malware, dubbed RottenSys, which targets Android devices with large scale ad campaigns. Contrary to the typical attack vectors of malware this variant appears to come pre-installed. Nearly 5 million phones by brands such as Honor, Huawei, Xiaomi and Samsung have been affected.

RottenSys hides itself under the name “System Wi-Fi Service”. Once the device is up and running the malware demands permission for nearly everything, including calendar read access and silent download permissions, which makes it nearly undetectable for the user. Furthermore, a waiting period before performing its operations together with only initially containing a non-malicious dropper module makes it even more difficult to detect.

Once the waiting period is up RottenSys will contact its Command & Control (C&C) center to retrieve a list of components required. When downloaded, these are responsible for any further malicious activity. Persistence is secured on the device through open-source frameworks.

Aggressive ad campaigns and possible botnet usage

With the malware firmly planted in the device its ad campaign begins. Users report aggressive advertisements on their home screen, through pop-up windows or even full-screen ads. According to Check Point in just 10 days ads were shows 13 250 756 times. 584 822 were translated into clicks. It is estimated to have earned the attackers $115 000 in those 10 days alone.

While the massive adware campaign is a cause for concern more threatening activities have been spotted. The same researchers found that the C&C server has been used for testing a botnet campaign since early February, 2018. If existing permissions and installation channels persist attackers could use them to drop their botnet code through, gaining control over millions of devices.


Advertisement on Android devices could originate from several causes. Therefore it’s not as easy for a regular user to mitigate it. However, if you are aware of the package names used by RottenSys they can be removed. This is done by navigating to the app manager within system settings and removing the following.

Package name App name 每日黄历
com.changmi.launcher 畅米桌面 系统WIFI服务