Hundreds Of Cheap Smartphone Models Come Loaded With Malware

Joanna Estrada
May 27, 2018

Avast has found that many low-priced, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn't intend to access.

Two years after being ousted, a criminal operation that has been inserting malware in the firmware of low-priced Android devices is still up and running, and has even expanded its reach.

Global cyber-security firm Avast in a blog post claimed that a majority of the devices which have been found to be carrying adware are not certified by Google and carry an adware that called "Cosiloon".

The malware in question creates an overlay to display ads on the device, and has been active for at least three years.

The adware which was previously described by Dr Web (a Russian IT-security solutions vendor) has been active for at least three years and is hard to remove as it is installed at the firmware level and uses strong obfuscation.

Avast has received reports of the malware from users in over 90 countries, with the top ten over the last month being Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania.

Avast has contacted representatives of Google, which "has taken steps to mitigate the malicious capacity of many options of apps on multiple devices using built-in methods". Avast says it identified devices infected with the malware in Europe and the USA, suggesting the problem is widespread. Google Play Protect should be able to spot and disable Cosiloon and you can use a reputable antivirus app to manually uninstall the payload. Google has reached out to firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue.

"When you get a brand new phone, you expect it to be clean from any malware and adware". Avast identified that the malware is not really installed on the phone but comes with a "dropper" program that is integrated within the device's firmware.

Avast has also warned about the presence of other varieties of related malware in the same applications that are distributing the Cosiloon adware.

Avast sent takedown requests to the domain serving payload APKs, but the server has since moved to another provider.

Researchers wrote that the whole assembly consists of the dropper and the payload.

Users can find the dropper in their settings (named "CrashService", "ImeMess" or "Terminal" with generic Android icon), and can click the "disable" button on the app's page, if available (depending on the Android version).

Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If you haven't bought an incredibly cheap Android product without Google Play Services installed over the past few years, you can go about your day worry-free.

Other reports by Click Lancashire

Discuss This Article