Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Chinese ad firm pwns Android users, creates hijackable global botnet

Horrid marketing outfit roots user phones, exposes devices to malware hell

A Chinese advertising company has infected and 'completely' hijacked likely hundreds of thousands of Android handsets with an attack so careless it exposes a global botnet to easy hijacking and opens handsets to total compromise by any malware.

FireEye (yet again, these guys need to get some sleep) researchers Yulong Zhang, Zhaofeng Chen, and Yong Kang say Chinese marketing company Xinyinhe which promotes itself as a big player in the app advertising game is behind the attack.

They didn't tag the number of infected devices, but Xinyinhe claims to have 'customers' in 50 countries and be valued as of November at $100 million after it received some $20 million in seed funding in 2013.

FireEye has been asked for the number of infected victims.

The trio say the attack builds its network of customers by tricking them to install malware that gains root access on some 308 different handsets running virtually all versions of the Android operating system from Gingerbread (2.3.4) to the lastest stable Lollipop (5.1.1) build.

These victims are enslaved into a "very large" global botnet that, incredibly, uses plain text for command and control communications allowing "anyone" to hijack it.

Infection process

Infection process

Once infected the malware will install legitimate but booby trapped applications without user consent, automatically clicking installation and permission warning prompts.

It installs a backdoor and maintains persistence on devices, and opens its attack vector to compromise by third party malware.

Xinyinhe cannot be reached for comment as it has taken down its site and another linked to the malware. Web archives were not accessible at the time of publication.

"This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organisation," the researchers say .

An overview of the malicious adware workflow

An overview of the malicious adware workflow.

"Any affected user may have inadvertently compromised their user credentials for some online services [and should] change their passwords for any online services such as iTunes, online banking, email, and work accounts."

The trio says the attackers are so careless that the infected app which have "full control" root access to phones will allow anyone malware share that priveleged access.

This means writers of less harmful malware could take advantage of the infections to gain root privilege, hijack the devices, and inflict "permanent damages".

So far some 300 infected apps have been discovered including the popular Amazon, Memory Booster, and Clean Master.

World infection map

World infection map

The adware uses "novel" and impressive techniques for persistence and obfuscation such as installing system level services, and modifying the boot recovery script used to flash new operating system ROMs.

Zhang, Chen, and Kang say attackers have repackaged the popular apps with malicious logic that is continuously updated.

The most recent samples sport more powerful obfuscation and packing mechanisms.

Additional technical information is available in FireEye's analysis. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like