Comments
Several hundred Android device models and versions, including devices from manufacturers such as ZTE, Archos, and myPhone, have adware pre-installed on them. The majority of these devices are not certified by Google.
According to a statement from Avast Threat Labs, the adware that goes by the name Cosiloon, creates an overlay to display an ad over a webpage within the user’s browser. Thousands of users have been affected, and in the past month alone, the latest version of the adware has been found on around 18,000 devices belonging to Avast users located in more than 100 countries, including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the US.
According to the statement from the digital security products firm, the adware, which has been active for at least three years, is difficult to remove as it is installed on the firmware level and uses strong obfuscation. Avast Threat Labs is in touch with Google, which Google has taken steps to mitigate the malicious capabilities of many app variants on several device models using internally developed techniques.
While Google Play Protect has been updated to ensure coverage for these apps in the future, as the apps come pre-installed with firmware, the problem is difficult to address. Google has reached out to firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue.
Identifying Cosiloon
According to Avast Threat Labs, it has observed from time to time some strange Android samples in its database. The samples appeared to be like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being: · com.google.eMediaService; · com.google.eMusic1Service; · com.google.ePlay3Service and · com.google.eVideo2Service
It is not clear how the adware got onto the devices. The malware authors kept updating the control server with new payloads. Manufacturers also continued to ship new devices with the pre-installed dropper. Some antivirus apps report the payloads, but the dropper installs them right back again and the dropper itself can’t be removed, so the device has a method of allowing an unknown party to install any application they want on it. The Avast Threat Labs have observed the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat.
Avast has attempted to disable Cosiloon’s C&C server by sending take-down requests to the domain registrar and server providers. The first provider, ZenLayer, quickly responded and disabled the server, but it was restored after a while using a different provider. According to Avast, the domain registrar has not responded to its request, so the C&C server still works, the statement said.
“Malicious apps can, unfortunately, be installed on the firmware level before they are shipped to customers, probably without the manufacturer’s knowledge," said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence & Security at Avast. “If an app is installed on the firmware level, it is very difficult to remove, making cross-industry collaborations between security vendors, Google and OEMs imperative. Together, we can ensure a safer mobile ecosystem for Android users.“
Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting. If a device is infected, it should automatically disable both the dropper and the payload. Avast Threat Labs has observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.
How to deactivate Cosiloon
Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the "disable" button on the app's page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.
Avast Mobile Security can be downloaded for free from the Google Play Store. Avast is also working with mobile carriers around the world to protect users from mobile threats.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.