Security researchers have discovered pre-installed malware named Cosiloon on several hundred low-cost Android devices across 90 countries.
Researchers from Avast Threat Lab discovered adware pre-installed on 141 android devices which include manufacturers like ZTE and Archos.
“The Avast Threat Labs has found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE and Archos. The majority of these devices are not certified by Google.”
The adware was first spotted by researchers from Dr. Web in 2015 and has been active for at least three years. The adware creates an overlay to display an ad over mobile apps.
According to researchers thousand of users are already infected with the adware, and in the past month alone the latest adware has affected around 18,000 devices which are owned by avast users.
The cosiloon consist of two components called a dropper and a payload. In dropper, there are two variants.
The first variant is small application located on the system partition of the infected device. The app is only visible to the user in the list of system application under ‘settings.’
The second dropper variant code is similar to the first variant, but it is not a separate application. The code is integrated into SystemUI.apk which is one of the key parts of Android OS and makes it impossible to remove.
Researchers also said that the malware doesn’t drop any malicious app if the number of apps installed is less than three and if the device language is set to Chinese.
The researchers tried to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. The ZenLayer provider quickly disabled the server but was restored after some time using a different provider.
Users over 90 countries are affected and the top ten countries with most infection rate for last month are Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania.
Researchers have published a list of affected devices and said that most infected devices contain MediaTek chipset and low-cost tablets.
“Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting. If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.” said in the post published by Avast.