- Malware is named as Cosiloon
- It was found in phones from ZTE, Archos, and myPhone
- Adware, installed on a firmware level, is difficult to remove
Hundreds of Android smartphones and tablets, including ones from manufacturers such as ZTE, Archos, and myPhone, have been found to ship with pre-installed adware. Interestingly, a large number of such handsets are not certified by Google. According to a new report, several low-cost, non-Google-certified Android smartphones shipped with inbuilt malware that could make users download apps they did not want to. The malware is called Cosiloon and it is said to overlay ads over the OS to promote apps or even trick users into downloading them.
As per a blog post by Avast Threat Labs, this particular type of adware simply loads ads in your smartphone browser. Avast has named the manufacturers and said that several hundred models have been affected. Interestingly, most of them are tablets and are powered by MediaTek processors. Avast has identified roughly 18,000 devices infected by the malware in over 100 countries, including Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania. A detailed list of models is now available, but Avast says that only some variants of said devices may contain the malware.
Cosiloon essentially creates an advertisement over the webpage the smartphone users might be loading in their browsers. Avast says that it has been active for at least three years, and it is difficult to remove, as it is installed on the firmware level “and uses strong obfuscation.”
Meanwhile, Google has also been notified of the malware, and it is said to be working to “mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques.” Avast says that Google has reached out to the firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue.
Notably, the app comprises a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘Settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” explains Avast.
As per Avast, a hundred different payload versions have been discovered, and the latest includes ad frameworks from Google, Facebook, and Baidu. The payload essentially disguises itself as a system application in the launcher to avoid detection. Also, some of the package names included ‘MediaService,’ ‘eVideo2Service,’ and ‘VPlayer.’
Avast claims that its antivirus app can now detect and uninstall the payload, but due to permission restraints, it cannot disable the dropper. However, Google Play Protect can disable both the payload and dropper, but unfortunately, the affected devices may not have the app as they are not certified by Google.
Meanwhile, users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.