Avast: Android Devices Ship With Pre-Installed Malware

Chennai, May 25, 2018: The Avast Threat Labs have found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE, Archos, and myPhone. The majority of these devices are not certified by Google. The adware goes by the name “Cosiloon” and creates an overlay to display an ad over a webpage within the user’s browser. Thousands of users are affected, and in the past month alone, the Avast Threat Labs has seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the U.S.

The adware which was previously analyzed by described by Dr. Web, hasbeen active for at least three years, and is difficult to remove as it isinstalled on the firmware level and uses strong obfuscation. The Avast ThreatLabs is in touch with Google and they are aware of the issue. Google has takensteps to mitigate the malicious capabilities of many app variants on severaldevice models, using internally developed techniques. 

Google Play Protect has been updated to ensure there iscoverage for these apps in the future. However, as the apps come pre-installedwith firmware, the problem is difficult to address. Google has reached out tofirmware developers to bring awareness to these concerns and encouraged them totake steps to address the issue.

Identifying Cosiloon

In the last few years, the Avast Threat Labs haveobserved from time to time some strange Android samples in their database. Thesamples appeared to be like any other adware sample, with the exception thatthe adware appeared to have no point of infection and several similar packagenames, the most common being:

  •  com.google.eMediaService
  •  com.google.eMusic1Service
  •  com.google.ePlay3Service
  •  com.google.eVideo2Service

It is not clear how the adware got onto the devices. The  malwareauthors kept updating the control server with new payloads. Manufacturers alsocontinued to ship new devices with the pre-installed dropper. Some antivirusapps report the payloads, but the dropper will install them right back againand the dropper itself can’t be removed, so the device will forever have amethod allowing an unknown party to install any application they want on it.The Avast Threat Labs have observed the dropper install adware on the devices,however, it could easily also download spyware, ransomware or any other type ofthreat.

Avast has attempted to disable Cosiloon’s C&C serverby sending takedown requests to the domain registrar and server providers. Thefirst provider, ZenLayer, quickly responded and disabled the server, but it wasrestored after a while using a different provider. The domain registrar has notresponded to our request, so the C&C server still works.

“Malicious apps can, unfortunately, be installed onfirmware level before they are shipped to customers, probably without themanufacturer’s knowledge," said Nikolaos Chrysaidos, Head of Mobile ThreatIntelligence & Security at Avast. “If an app is installed on the firmwarelevel, it is very difficult to remove, making cross-industry collaborationsbetween security vendors, Google and OEMs imperative. Together, we can ensure asafer mobile ecosystem for Android users.“

Avast Mobile Security can detect and uninstall thepayload, but it cannot acquire the permissions required to disable the dropper,so Google Play Protect has to do the heavy lifting. If a device is infected, itshould automatically disable both the dropper and the payload. Avast knows thisworks because the Avast Threat Labs has observed a drop in the number ofdevices infected by new payload versions after Play Protect started detectingCosiloon. 

How to deactivate Cosiloon

Users can find the dropper in their settings (named“CrashService”, “ImeMess” or “Terminal” with generic Android icon), and canclick the "disable" button on the app's page, if available (dependingon the Android version). This will deactivate the dropper and once Avastremoves the payload, it will not return again.

Avast Mobile Security can be downloaded for free from theGoogle Play Store. Avast is also working with mobile carriers around the world,including all four of the leading carriers in the U.S., to protect users frommobile threats.

  (0)   Comment