Android devices found with pre-installed malware

News by Rene Millman

Smartphones from ZTE, MediaTek, Archos and Blaupunkt found with adware. Thousands of Android devices are thought to harbour nasty adware that comes pre-installed.

Thousands of Android devices are thought to harbour nasty adware that comes pre-installed.

According to researchers at Avast, the devices come with a type of adware known as Cosiloon, first identified back in 2016. The adware is used to load ads in the smartphone's browser.

In a blog post, around 700 smartphone models are thought to be affected. The majority of these devices are not certified by Google. Avast has found around 18,000 devices infected by the malware in over 100 countries, including Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania.

The adware is difficult to remove as it is installed at the firmware level and uses strong obfuscation. The adware is found on devices with chipsets from MediaTek running different Android versions ranging from 4.2 to 6.0.

The adware is composed of a dropper and a payload.  "The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under 'Settings.' We have seen the dropper with two different names, 'CrashService' and 'ImeMess,'" said researchers Vojtech Bocek and Nikolaos Chrysaidos.

The payload APK contains Google, Facebook and Baidu ad frameworks. It is able to detect any antivirus software and will "hold back any suspicious actions so that it goes unnoticed," according to researchers. An update mechanism is also built-in, and is capable of downloading additional dex files from the internet.

The researchers said that the most “jarring” aspect of the incident is that Dr. Web reported on this in 2016 “and yet nothing happened”.

“The control server was live until April 2018, and the authors kept updating it with new payloads,” they said. “We have attempted to disable Cosiloon's C&C server by sending takedown requests to the domain registrar and server providers.”

The IT security firm has contacted Google, which it said "has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques.”

Liviu Arsene, senior e-Threat Analyst at Bitdefender, told SC Media UK that since these devices have not been certified by Google, it's safe to speculate that the installed firmware did no undergo their strict vetting process. 

“It's not uncommon for adware to be pre-installed on low-end Android devices, especially those that have not been certified by Google. It's likely some manufacturers might not know about the adware, simply because the firmware is provided by a third party, or other chose to enable adware providers to preinstall adware within the firmware based on some sort of OEM deal,” he said.

Dr Johannes Ullrich, dean of research SANS Institute of Technology, told SC Media UK that corporate networks should never allow unapproved devices to connect. 

“If employees are allowed to bring their own devices, then these devices should connect to a separate “guest” network that is isolated from the corporate network. Employees should not be allowed to store corporate data (eg e-mail) on devices that have not been approved,” he said.

Santiago Torres, senior mobility specialist at Wandera, told SC Media UK that app-only threat defence solutions can help detect malicious software, but do little to prevent data exfiltration. 

“It's crucial that organisations ensure that both the devices themselves and the networks they connect to are secured. They should adopt solutions that can block risky connections and intercept any unwanted loss of data,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews