Avast Discovers Preinstalled Malware on Hundreds of Android Devices

Security experts from Avast Threat Labs have discovered preinstalled adware, known as Cosiloon, on Android devices from several hundred different brands and models, including ZTE, Archos, and myPhone. The full list of affected devices can be found here. This application displays pop-up ads in the browser over web pages, and in just the past month, thousands of users have been affected. Researchers report that the latest version of Cosiloon was found on 18,000 Avast users’ devices in over 100 countries, including Russia, Italy, Germany, the UK, and the USA. According to Avast, most devices infected with Cosiloon are not Google-certified.

Analysts note that this same adware was analyzed by Dr. Web specialists back in 2016. Experts estimate that the threat has existed for more than three years. Researchers have already notified Google about the issue, and the company has taken steps to reduce the malicious activity of many variants of the application using internal technical tools. For example, the Google Play Protect system has been updated to help prevent similar cases in the future. However, when malicious apps are embedded in a device’s firmware, as with Cosiloon, solving the problem can be quite difficult. Google representatives have reached out directly to software and hardware developers to address the issue.

Identifying Cosiloon

Over the past few years, Avast specialists have observed strange Android samples entering the company’s database. These signatures were similar to other adware samples, except for one detail: they had no infection point, and the package names were suspiciously similar. The most common package names include:

• google.eMediaService
• google.eMusic1Service
• google.ePlay3Service
• google.eVideo2Service

It is still unclear how exactly the adware ended up on the devices. Attackers continuously uploaded new malicious payloads to the command server, while manufacturers kept shipping new devices with preinstalled dropper apps for covert malware deployment.

Researchers note that some antivirus solutions detect the attackers’ payloads as malware, but this is not very effective. Even if the malware is removed, the dropper simply downloads a new one. Since removing the dropper itself is not easy, attackers can install not only adware but also ransomware, spyware, or any other malicious software on the device at any time.

Avast specialists attempted to disable the Cosiloon command server by sending removal requests to domain registrars and providers. One provider, ZenLayer, responded quickly and disabled the attackers’ server, but it was soon restored elsewhere. The domain registrar did not respond to Avast’s requests, so the criminals’ command server continues to operate.

How to Remove Cosiloon

Experts state that Avast Mobile Security detects and removes the payload, but cannot access or disable the dropper integrated into the firmware. As a result, the main work of blocking the dropper and malware falls to Google Play Protect. After Google Play Protect learned to identify Cosiloon, the number of infected devices dropped significantly.

Users can also remove the adware trojan as follows: in the device settings, find the dropper (it appears under the names CrashService, ImeMess, or Terminal and has a standard Android icon). On the app’s page, tap “Disable” (this function is available depending on your Android version). Once the dropper is deactivated, Avast Mobile Security or another antivirus product will remove the payload, and the malware will no longer be able to reinstall itself on the device.