Several hundred low-cost Android devices are shipping with preinstalled adware, according to security firm Avast. The company specifically called out products from Archos, MyPhone, Prestigio, and ZTE.
The adware, called Cosiloon, was previously described in 2016 by fellow security company Dr. Web. It effectively creates incessant popup ads in the user’s browser and on the homescreen, obscuring the screen in the process.
The new report delves into more detail on how it all works and who’s affected by it.
So, how does it work?
Cosiloon essentially consists of two components, called a dropper and a payload. Avast has identified two variants of the dropper, which is responsible for delivering (or dropping) the malicious payload onto the device.
The first dropper variant is essentially a system app, only visible in the list of system applications. Avast adds that they’ve seen it listed as ‘CrashService’ and ‘ImeMess’. The second dropper variant is “pretty much impossible” to remove as it’s actually integrated into the SystemUI APK, which is one of the key system packages for Android.
The payload portions are far more numerous, as Avast found over 100 payload versions. Only two payload variants were visible as an app on the homescreen, with one using the imaginative name “Goolge Contacts”. The vast majority of variants were only visible in the system applications list, using names like “eVideo2Service”, “MediaService”, and “VPlayer”.
Who is affected?
The security company’s statistics show that users in over 90 countries were affected by the adware. The top ten countries include Russia, Germany, Italy, the U.K., Ukraine and Venezuela.
As for affected devices? Avast found they usually had a MediaTek chipset and were largely low-cost tablets. Affected manufacturers included Archos, Condor, Haier, MyPhone, Prestigio, Telefunken, and ZTE (view the full list here). The firm clarified that not all device models on the list would be affected, owing to firmware variations and/or custom ROMs being used.
Avast says the list of affected devices is so extensive because the adware was part of a chipset platform package that gets reused for similar devices. The affected platforms were running Android 4.2 to Android 6.0, which should put you at ease if you’ve got a device with Nougat and above.
What can you do about it?
A factory reset doesn’t make a difference, owing to the adware being embedded in the system settings. Avast adds that its antivirus app doesn’t have the necessary permissions to remove the dropper (although it can remove payloads). Fortunately, Google Play Protect has been updated to detect Cosiloon, the security firm says, so it will automatically disable both the dropper and payload.
Alternatively, it adds that users can manually disable the dropper by finding it in the system applications list (Settings > Apps > Show System Apps), then looking for “CrashService”, “ImeMess” or “Terminal”. From here, Avast’s app will remove the payload portion.
Who’s to blame for Cosiloon?
Avast says Google has been making firmware developers aware of the issue. So it sounds like they didn’t know about the problem. Then again, if you were covertly slapping adware on your devices, would you say you knew about it all along?
The fact that the vast majority of these devices run MediaTek chips is also noteworthy. However, MediaTek tends to be the processor brand of choice for many low-cost manufacturers. Low-cost brands are usually involved in these malware cases, ostensibly due to limited resources and/or a desire to gain a few extra bucks off devices with a low profit margin.
In any case, we’ve contacted Archos, MediaTek and ZTE to gain clarity on the situation. We’ll update the story when we receive a response from the companies.