INSUBCONTINENT EXCLUSIVE:
Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to
download apps they didn&t intend to access
The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into
Devices effected shipped from ZTE, Archos and myPhone.
The app consists of a dropper and a payload
&The dropper is a small application with no obfuscation, located on the /system partition of affected devices
The app is completely passive, only visible to the user in the list of system applications under ‘settings.& We have seen the dropper with
two different names, ‘CrashService& and ‘ImeMess,'& wrote Avast
The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone
&The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially
exclude specific countries and devices from infection
However, we&ve never seen the country whitelist used, and just a few devices were whitelisted in early versions
Currently, no countries or devices are whitelisted
The entire Cosiloon URL is hardcoded in the APK.&
The dropper is part of the system firmware and is not easily removed.
To summarize:
The
dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user consent or
knowledge.
The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.
The user cannot remove the
dropper, because it is a system application, part of the device firmware.
Avast can detect and remove the payloads and they recommend
following these instructions to disable the dropper
If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you
browse in your default browser, a gateway to grabbing more (and worse) malware
Engadget notes that this vector is similar to the Lenovo &Superfish& exploit that shipped thousands of computers with malware built in.
