5 million Android phones found with pre-installed malicious software

A Massive malware campaign was discovered by security researchers, already having infected 5 million mobile devices worldwide. Dubbed RottenSys, the campaign is a “supply chain attack” malware, masked as a ‘System WiFi service’ app which comes pre-installed on millions of smartphones produced by popular brands like Samsung, Honor, Xiaomi, Huawei, OPPO and others.

Researchers are speculating if Tian Pai, the mobile phone distributor, has direct involvement in this campaign due to the fact that all the infected mobile devices were shipped through them.

RottenSys is a sophisticated malware which takes all Android’s sensitive permissions to act. In addition, to evade detection, it begins with no malicious activity. When it initiates, RottenSys contacts the Command & Control serves to get the malicious code to enhance its functionality. The malware uses the “DOWNLOAD_WITHOUT_NOTIFICATION” permission in order to remain undetected by the user.

For now this campaign distributes an adware component to infected devices which displays advertisements on the device’s home screen. Because of mentioned abilities such as downloading and installing components from a Command & Control server (C2 server), the attackers are able to pivot towards distributing a more malicious and harmful type of malware going forward. There is also some evidence showing the attackers have already started turning infected devices into a botnet network.

Possible impact on enterprise networks:

  • Possible infection of workstations via emails from infected smartphones.
  • If the malware has a foothold on workstations, possible credential theft from enterprise apps. Company emails can be infected with garbage ads.

Security researchers have reported that the malware developers are planning to add extra malicious functionalities to the malware exploit Tencent’s Tinker application virtualization framework, as a downloader capability. Downloaded payloads will render infected devices into slaves in a large-scale Botnet.

Indicators of compromise:
To check if a smartphone is infected, go to the Android setting, App Manager, and look for the following packages:
com.android.yellowcalendarz (每日黄历)

com.changmi.launcher (畅米桌面)

com.android.services.securewifi (系统WIFI服务)


We recommend to always remain alert on the web and to be extra cautious downloading software you if you are not sure regarding its origins.

Also, emails originating from Android devices should be inspected on workstations, as these emails may contain RottenSys infection artifacts that can be avoided.