According to Avast, thousands of Android smartphones are being shipped with adware pre-installed, including the devices from manufacturers like ZTE and Archos. Interestingly, the majority of these devices are not certified by Google. The malware is named ‘Cosiloon’ creates an overlay to present an ad over a webpage within the users’ browser.
Avast claims that the adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation. Whats scarier is that thousands of users are affected, and in the past one month the latest version of the adware is found in around 18,000 devices located in more than 100 countries including Russia, Italy, Germany, the UK, as well as in the U.S.
The company says that it is in touch with Google who is aware of the issue and is also taking steps to mitigate the malicious capabilities. Google is working on fixing the malware’s app variants on Android smartphones using internally developed techniques. Though there is Google Play Protect, the malware comes pre-installed which makes is harder to address. Google is reaching out to firmware developers to bring awareness to these concerns and encourage in taking steps accordingly.
It is also unclear how the adware got onto the devices, and the malware authors kept updating the control server with new payloads. On the other hand, Manufacturers also continued to ship new devices with the pre-installed dropper. The payload was updated again on April 8th, 2018 and the name in app launcher changed to “Google Download,” and some class names in the code changed (notably “.backservice” to “.startService”), likely in an attempt to avoid detection.
Since the malware is part of the chipset platform package which is reused on other brands as well and the chipset in question happens to be from MediaTek running different Android versions ranging from 4.2 to 6.0. Avast says that some anti-virus apps report the payloads, but the dropper will install them back again right away, and the dropper itself can’t be removed. So, the device will forever have a method allowing an unknown party to install any application they want on it.
Users can find the dropper in their settings (named “CrashService,” “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper, and once Avast removes the payload, it will not return.