Avast: Android Devices Ship With Pre-Installed Malware

The Avast Threat Labs have found in their research that the hundred of Android device models and versions including s some well known mobile manufacturers like ZTE and Archos come with pre-installed adware. If you see these devices then the majority of them are not certified by the Google. 

The Adware that affected these device named “Cosiloon”. Know you may think what it do? basically, the work of this adware is to create an overlay to display an ad over a webpage within the user’s browser.

According to the Avast report, thousand of the users affected with the cosiloon in the past month and the latest version of the Adware infected the around 18000 devices in more than 100  than 100 countries including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the U.S.

An Android adware which was active for last three years detected by the Dr. Web was very difficult to remove because it was installed on the firmware level. Also, the Avast Threat lab mentioned on their blog that they are in touch with Google and they are aware of this adware. According to the Google, they continuously taking steps to reduce the malicious capabilities of different apps using internal developer techniques.

Identifying Cosiloon

In the last few years, the Avast Threat Labs have observed from time to time some strange Android samples in their database. The samples appeared to be like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being:

· com.google.eMediaService

· com.google.eMusic1Service

· com.google.ePlay3Service

· com.google.eVideo2Service

It is not clear how the adware got onto the devices. The malware authors kept updating the control server with new payloads. Manufacturers also continued to ship new devices with the pre-installed dropper. Some antivirus apps report the payloads, but the dropper will install them right back again and the dropper itself can’t be removed, so the device will forever have a method allowing an unknown party to install any application they want on it. The Avast Threat Labs have observed the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat.

Avast has attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. The first provider, ZenLayer, quickly responded and disabled the server, but it was restored after a while using a different provider. The domain registrar has not responded to our request, so the C&C server still works.

“Malicious apps can, unfortunately, be installed on firmware level before they are shipped to customers, probably without the manufacturer’s knowledge,” said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence & Security at Avast. “If an app is installed on the firmware level, it is very difficult to remove, making cross-industry collaborations between security vendors, Google, and OEMs imperative. Together, we can ensure a safer mobile ecosystem for Android users.“

Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting. If a device is infected, it should automatically disable both the dropper and the payload. Avast knows this works because the Avast Threat Labs has observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.

How to deactivate Cosiloon

Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.