Not all Android phones are equal. Not all of them come clean and new. Not all of them are free of malware when you unbox them... This probably won't be surprising for many of our readers as we have seen similar reports and stories several times in the past, but Avast is giving all of us a good reminder.
The antivirus maker who is currently trying to make things work with the latest Windows 10 version has discovered several hundred different Android device models and versions that come with malware or adware preinstalled. In case of adware, known brands like ZTE are also included in the list of offenders. "The majority of these devices are not certified by Google," Avast wrote in its latest blog post.
Pre-installed Android malware discovered on hundreds of devices
The adware in question is Cosiloon, which overlays advertisements over the OS to promote apps or trick users into downloading those apps. It is extremely difficult to remove Cosiloon since it is installed on the firmware level and uses strong obfuscation to avoid removal.
Researchers wrote that the whole assembly consists of the dropper and the payload. While older versions of the malware had a separate adware app pre-installed in the /system partition, this approach seems to have been replaced in favor of dropped payload.
The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under “settings”. We have seen the dropper with two different names, “CrashService” and “ImeMess”.
Avast said that the malware/adware has evolved over the years. In some cases, it is being embedded in SystemUI.apk instead of being a separate system app. "This makes the dropper pretty much impossible to remove by the user," researchers wrote.
"The SystemUI.apk samples we examined were also infected with two more malware packages, all capable of showing apps, installing additional APKs from the internet and submitting private data such as IMEI, Mac address and phone number to remote servers, but their code seems unrelated to the Cosiloon family," Avast wrote.
Installer was added in these low-cost Android phones by OEM, carriers
As noted earlier, almost all of these devices that were discovered coming pre-installed with malware were not certified by Google as the installer was added by the manufacturer or carrier. Over 142 devices have been added to the list of affected models, with victims in over 90 counties - mostly in the UK, Russia, Italy, Germany, France, and Romania.
Avast has shared some steps to disable the malware, but even without this, you should probably stay cautious of the manufacturers and devices that have no quality control as it puts your data at risk of exposure.