When you get a brand new phone, you expect it to be clean from any unnecessary bloatware, malware or adware. Unfortunately, this is not always the case! The Avast Threat Labs, on Thursday, found adware pre-installed on several hundred different Android devices (models and versions). These include devices from manufacturers like ZTE, Archos, and myPhone. Such phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The majority of these devices are not certified by Google!
The malware, called Cosiloon, overlays advertisements over the operating system in order to promote or even trick users into downloading apps. The adware has been active for at least three years and is difficult to remove as it is the part of the firmware that uses strong obfuscation. The adware creates an overlay to display an ad over a webpage within the users’ browser. In this case, it means advertisements are appearing over the Google Play app store and Google Chrome – and it’s not really Google’s fault.
The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings’. We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast.
The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. The XML manifest contains information about what to download, which services to start. It also contains a whitelist programmed to potentially exclude specific countries and devices from infection. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded into the APK.
- The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.
- The manufacturer, OEM or carrier has preinstalled the dropper somewhere in the supply chain.
- The user cannot remove the dropper, because it is a system application i.e, part of the device’s firmware.
In a document created by Avast, they quoted, we can see the list of affected devices. Most, if not all, of the devices on the list run a MediaTek processor. “The list is likely so extensive because the malware was part of a chipset platform package which is reused for many similar devices with different brand names,” said Vojtech Bocek of Avast Software. “We cross-checked many, but not all of the devices, and noticed that the chipset on the devices we inspected was from MediaTek.”
“This list contains only devices that had more than 10 unique users in last month,” said Avast. “There are about 800 more device types that had less. The list is sorted by the number of detections.”
Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications. But it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (worse) malware.