Avast: Android Devices Ship With Pre-Installed Malware

Security

The Avast Threat Labs have found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE, Archos, and myPhone. The majority of these devices are not certified by Google. The adware goes by the name “Cosiloon” and creates an overlay to display an ad over a webpage within the user’s browser. Thousands of users are affected, and in the past month alone, the Avast Threat Labs has seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the U.S.

The adware which was previously analyzed by described by Dr. Web, has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation. The Avast Threat Labs is in touch with Google and they are aware of the issue. Google has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques.

Google Play Protect has been updated to ensure there is coverage for these apps in the future. However, as the apps come pre-installed with firmware, the problem is difficult to address. Google has reached out to firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue.

Identifying Cosiloon

In the last few years, the Avast Threat Labs have observed from time to time some strange Android samples in their database. The samples appeared to be like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being:

  • com.google.eMediaService
  • com.google.eMusic1Service
  • com.google.ePlay3Service
  • com.google.eVideo2Service

It is not clear how the adware got onto the devices. The  malware authors kept updating the control server with new payloads. Manufacturers also continued to ship new devices with the pre-installed dropper. Some antivirus apps report the payloads, but the dropper will install them right back again and the dropper itself can’t be removed, so the device will forever have a method allowing an unknown party to install any application they want on it. The Avast Threat Labs have observed the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat.

Avast has attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. The first provider, ZenLayer, quickly responded and disabled the server, but it was restored after a while using a different provider. The domain registrar has not responded to our request, so the C&C server still works.

“Malicious apps can, unfortunately, be installed on firmware level before they are shipped to customers, probably without the manufacturer’s knowledge,” said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence & Security at Avast. “If an app is installed on the firmware level, it is very difficult to remove, making cross-industry collaborations between security vendors, Google and OEMs imperative. Together, we can ensure a safer mobile ecosystem for Android users.“

Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting. If a device is infected, it should automatically disable both the dropper and the payload. Avast knows this works because the Avast Threat Labs has observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.

How to deactivate Cosiloon

Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.

Avast Mobile Security can be downloaded for free from the Google Play Store. Avast is also working with mobile carriers around the world, including all four of the leading carriers in the U.S., to protect users from mobile threats.

Leave a Reply

17 + 17 =