Skip to Main Content
RottenSys: Some smartphones are coming with malware already installed

RottenSys: Some smartphones are coming with malware already installed

This is probably the one smartphone feature you did not have on your “must have” list: Researchers have uncovered a stream of phones hitting the market which come with malware, named RottenSys, pre-installed – without their new owners having to do a single swipe.

Nearly 5 million phones are believed to be included in this scheme. Impacted labels include GIONEE, Honor, Huawei, OPPO, Samsung, Vivo and Xiaomi. While all of the infected phones seem to have come through Tian Pai, a Chinese distributor based in Hangzhou, the precise connection has not yet been uncovered.

While the malware has been named RottenSys, impacted users see this as a more innocuous “System Wi-Fi service” app that came pre-installed their phones.

RottenSys comes in quietly

RottenSys does not start malicious as to not set off any alarms. Instead, it starts out by chatting with its command-and-control servers to get first a shopping list and then it gets the malicious code.

This particular batch of code turns into an adware campaign with a barrage of ads appearing on the victim’s device as full-screen and pop-up ads, producing a stream of ad revenue for the cybercriminals.

Then it pumps up the volume

That is just the start. The CheckPoint researchers believe the malware can then mutate according to whatever its C&C overloads command. They expect that the malware will become part of a larger botnet which could distribute other apps and change the victim’s UI around.

RottenSys is part of the modern trend in malware of not taking money directly from your pocket like ransomware – but forcing you to watch irritating ads – and then billing the advertisers for their effort. Nobody is saying if these ads are really “high value”.

Software is built like your car – drive with care

At its core, RottenSys is a supply chain vulnerability in the software industry. It is like your car, with multiple factories making foam padding, fabrics, steel frames, another factory putting this together into a seat and shipping it off to the final assembly plant where it arrives about 45 minutes before being bolted into place. Automakers watch this entire supply chain extremely closely — and RottenSys is a sign that the IT industry needs to do so as well.

What can you do to stay safe

There is a silver lining though. Due to the prerequisites that need to be given for the malware to be on your phone most of the infected phones are based in China – so if you have not bought your device from over there you should be safe. To be really sure though, you can do the following:


  • (每日黄历)
  • com.changmi.launcher (畅米桌面)
  • (系统WIFI服务)
  • com.system.service.zdsgt

This post is also available in: FrenchItalian

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.