Security researchers with Avast discovered that some Android smartphones have been shipping with malware pre-installed. The devices— from manufacturers such as ZTE, Archos, and Prestigio—come with a brand of ad-related malware dubbed “Cosiloon.”
The Cosiloon malware creates a pop-up on the phone’s screen in order to display ads when the user opens their phone’s built-in web browser. These ads often advertise other malicious apps—which, if clicked, download more malware onto the user’s device. Cosiloon is composed of two APKs, a dropper (which installs the malware), and the malware payload. Avast uncovered two types of droppers—”CrashService” and “ImeMess”—and more than 100 different payload variants. The payload masquerades as a system application to avoid being discovered by antivirus applications.
While Cosiloon has been around for several years, it is not particularly widespread. It affects less than 1,000 users, mostly on budget handsets not certified by Google, in 90 different countries. Avast’s antivirus app can now detect and disable the payload but not the dropper. Google Play Protect can disable the payload and dropper, but most of the devices affected don’t have Play Protect installed. Avast and Google are also working together to find a permanent fix to Cosiloon.
Earlier this month, another piece of Android malware (“ZooPark“) was discovered. This malware was used against targeted Middle Eastern Android phone users for surveillance. The malware takes over nearly all the phone’s functions in order to steal passwords, listen to phone calls, and download photos from memory cards. Other devices have been infected with cryptocurrency-mining malware.
While they’re not necessarily fool-proof, a good anti-malware app can help ensure malicious software like this doesn’t take hold on your own Android device.