As indicated in a report recently posted by Avast in its official blog, it seems that a number of cheap non-Google-certified Android powered mobile devices have shipped preinstalled with a type of malware that could have users unknowingly download apps they should not be utilizing or accessing.
The malware is called Cosiloon, and what it basically does is overlay ads over the handset’s mobile operating system. By doing this, it can promote certain types of mobile apps, and even trick people into downloading these apps. According to Avast’s report, there is evidence that the Cosiloon malware has affected smartphones from mobile manufacturers such as ZTE, Archos, and myPhone.
Avast further explains that the app comes with a dropper and a payload. The dropper is essentially a minor app that is free of obfuscation, and is usually found on the /system partition of handsets affected with the malware. It is extra dangerous because of its overtly passive nature -- users can only see it in included in the system applications listed under Settings. Avast has noticed that the dropper has take two alternate names -- ImeMess and CrashService. When the dropper is connected to the information superhighway, it then proceeds to get the payloads being prepared by hackers in order to be downloaded on the unsuspecting phone.
The XML manifest comes with information about which software to download, and which services to start. It even contains a white list that can skip specific countries or specific handset makes or models. The folks at Avast are noting, however, that they have not seen the white list for countries. As for the phones, the white list they saw was on the early versions.
Making things extra worse is the fact that the dropper is part of the system’s firmware, which could mean that getting rid of it may be easier said than done. On top of that, nobody seems to know just when the dropper is preloaded -- Avast’s best bet is somewhere in the supply chain, which means it could either be the phone maker, the original equipment manufacturer (OEM) of the components used, or even the mobile operator.
Still, the dropper can be deactivated -- as a matter of fact, Avast has suggested a set of instructions that should do it. As for the payloads, they can be identified and later removed. As hinted earlier, the dropper is much more tricky to handle. Even when an affected handset has an anti-virus software, the dropper will disable notifications and still continue to suggest to download certain mobile apps while the user is Internet surfing through his preferred web browser, and if the user bites, it could mean more malware invading his Android phone.
