Chinese Hackers Build 5 Million-Device Android Botnet with RottenSys

By Riley ThompsonTechnology News

Chinese Hackers Create Botnet of 5 Million Android Devices

Chinese cybercriminals are using the RottenSys malware to build a botnet that already includes around 5 million Android devices. In its current form, the malware is used to display intrusive ads on infected devices. However, researchers from Check Point have discovered evidence that attackers are now using a new Lua-based module to unite infected gadgets into one massive botnet.

Expanded Capabilities Beyond Ads

According to the researchers, this botnet will give cybercriminals far more capabilities than just displaying ads. โ€œThis botnet will have advanced features, including stealthy installation of additional apps and automation of the user interface,โ€ the researchers wrote.

Evolution of RottenSys

Experts note that RottenSys was not always this dangerous. The malware first appeared in September 2016, and for most of its existence, cybercriminals focused on spreading it to display ads. Over time, the number of infected devices slowly but steadily grew, reaching approximately 4,964,460 to date.

New Lua Module Increases Threat

The Lua component, which allows botnet operators to take control of infected devices, was only added to RottenSys last month. So far, the malware is active only in the Chinese market and spreads through infected Chinese apps. The majority of the botnet consists of Huawei devices (over 1 million), Xiaomi (almost 0.5 million), as well as OPPO, vivo, LeEco, Coolpad, and GIONEE devices.

Rapid Infection Rate

RottenSys spreads faster than most Android malware. This is thanks to two open-source projects published on GitHub. The first project, Small, is a framework for app virtualization, and the second, MarsDaemon, makes apps โ€œimmortal.โ€

  • First, using Small, the malware creates virtual containers for its internal components, allowing them to run in parallel at the same timeโ€”a feature not typically supported by Android OS.
  • Then, with MarsDaemon, the malware keeps its processes active. Even if the user tries to close them, the ad-injection mechanism remains running.

Leave a Reply