Preinstalled malware on 5 million Android phones

Over 5 million Android phones has been discovered with preinstalled malware by default. The malware is called RottenSys, it comes camouflaged as an app called “System Wi-Fi Service”. All devices have in common that they were sent by the same distributor of mobile phones based in Hangzhou, but is not sure if the company has direct involvement in this campaign. The manufacturers that have been affected are Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE.

Check Point Mobile Security Team researchers uncovered this malware campaign. They detected that malicious app was obtaining privileges to system sensitive services to carry out its malicious activities.

The malware is waiting for a period until, through a communication and control server, it downloads components with malicious code without notifying the user. Once downloaded it begins to display advertising contents even on the device's home screen.

To check if the phone is infected, through the Application Manager you can check if one of the applications detected by Check Point are installed (com.android.yellowcalendarz, com.changmi.launcher, com.android.services.securewifi, com.system.service.zdsgt) If you have one of them uninstall it to remove the malware.