Cheap Android phones are sold with pre-installed malware

Android phones with malware were not certified by Google

Experts have found Android devices which were sold with pre-installed malware to the customers. Most of them were not certified by Google and distributed by such manufacturers as Archos, ZTE, and myPhone^[1]. When analysis the threat, IT specialists categorized it as the Cosiloon adware.

This specific cyber threat is designed to display ads on user's browser with an overlay. Likewise, people are either seeing promoting commercial content or can even be redirected to the shady page and insisted on downloading an unknown app. Currently, there is no reliable information to claim which apps are sponsored. Although, most of them are free online games.

According to the experts, this type of Android virus^[2] has been active for at least three years. Now, the statistics show that the adware has infected more than 18 thousand devices in 100 different countries. This includes the following countries^[3]:

• Russia;
• Germany;
• The United States;
• United Kingdom;
• Italy.

Malware consist of two different APKs

Vojtech Bocek and Nikolaos Chrysaidos, cybersecurity researchers at Avast, say that the application is entirely passive and can merely be seen in the list of system applications. They have detected that it can be named two ways — ImeMess or CrashService^[4]. Although, numerous versions are lurking in the cyberspace.

They download and the manifest from hxxp://www.cosiloon.com/version.xml once the Android smartphone is connected to a Wi-Fi. Experts add the following to the analysis^[5]:

The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection.

Currently, the whitelist is not used for any countries or devices. However, the professionals have seen some gadgets whitelisted in the previous versions.

Later, the dropper uses pm install command to install the APK from the URL which is found in the manifest. Note, that it changes depending on the version. Finally, it starts the payload service with entries and repeats it each time the device reboots.

According to the experts, the second variant of the dropper is far more complicated and embedded in SystemUI.apk which is one of the components of Android device. Likewise, it is almost impossible for the user to remove the malware and it makes it harder for the antivirus systems to detect it.

Android malware is present on the device, and you can't uninstall it

Researchers point out that there is a way how you can get rid of the payload. Although, the dropper can't be disabled and must be deactivated by Google Play Protect. Likewise, people should be extremely cautious of the potential dangers that might appear due to this malicious program.

Experts have contacted and warned Google about this issue. The company has taken steps to address the problem and ensure that Android device manufacturers would be aware of the malware. However, since app comes pre-installed with the firmware, it is rather more than hard to deal with the problem.