Avast Threat Labs have found adware pre-installed on several different Android device models and versions which includes devices from manufacturers like ZTE, Archos, and myPhone. The majority of these devices are not certified by Google. The adware named Cosiloon creates an overlay to display an ad over a webpage within the user’s browser. Thousands of users are affected, and in the past month alone, the Avast Threat Labs has seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the U.S.
The Avast Threat Labs is in touch with Google and they are aware of the issue. Google has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques. Google Play Protect has been updated to ensure there is coverage for these apps in the future. However, as the apps come pre-installed with firmware, the problem is difficult to address. Google has reached out to firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue.
In the last few years, the Avast Threat Labs have observed from time to time some strange Android samples in their database. The samples appeared to be like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being:
It is not clear how the adware got onto the devices. The malware authors kept updating the control server with new payloads. Manufacturers also continued to ship new devices with the pre-installed dropper. Some antivirus apps report the payloads, but the dropper will install them right back again and the dropper itself can’t be removed, so the device will forever have a method allowing an unknown party to install any application they want on it. The Avast Threat Labs have observed the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat.
How to deactivate Cosiloon
Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.
Follow us on Twitter for more news and updates.