Thousands of Android devices found to have pre-installed malware

Doris Richards
May 27, 2018

Google reached out to the firmware developers so they could take steps to root out malicious code from their systems. Avast noticed the threat on over 140 different Android models, a lot of them tablets, including products from ZTE, Archos, and Prestigio, among others. What's more, since the adware has been built into the devices by the manufacturers, they have proven to be incredibly hard to remove.

Avast added that thousands of devices had been affected, with the past month alone seeing some 18,000 affected devices spread across more than 100 countries including Russia, Italy, Germany, the United Kingdom, as well as some in the US. While not too severe this adware is capable of creating an overlay to display ads within a webpage on any browser. "Google has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques", Avast said. According to Google, the handful of phones that are certified will have Play Protect malware scanning, and that service is already equipped to find and remove the malware in question.

According to the report by the researchers, this particular adware has apparently been a menace for over three years.

Global cyber-security firm Avast in a blog post claimed that a majority of the devices which have been found to be carrying adware are not certified by Google and carry an adware that called "Cosiloon". The malware authors kept updating the control server with new payloads.


Numerous affected handsets were also infected with two more malware packages, all capable of showing apps, installing additional APKs from the internet and submitting private data such as IMEI, Mac address and phone number to remote servers. Some antivirus apps report the payloads, but the dropper will install them right back again and the dropper itself can't be removed, so the device will forever have a method allowing an unknown party to install any application they want on it. This means that the adware is still being distributed to the devices. The first provider, ZenLayer, quickly responded and disabled the server, but it was restored after a while using a different provider.

Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, leaving the onus on Google Play Protect.

The app consists of a dropper and a payload. As does West African darling Archos, the maker of a once-popular Android media player app and a renown French mobile device brand. "The app is completely passive, only visible to the user in the list of system applications under "settings.' We have seen the dropper with two different names, 'CrashService" and 'ImeMess, '" wrote Avast.

Other reports by Iphone Fresh

Discuss This Article

FOLLOW OUR NEWSPAPER