sb-eu logo
Story image

Low-cost Android devices shipping pre-installed Colisoon adware

29 May 2018

Android devices from manufacturers such as ZTE and Archos are being pre-installed with adware, researchers at Avast say.

The adware has been pre-installed on several hundred device models and versions - generally ‘low-cost’ Android devices that use a Mediatek chipset.

Although Google is already cracking down on affected apps, the problem is actually far more difficult.

Avast researchers Vojtech Bocek and Nikolaos Chrysaidos posted in a blog this week that the adware, dubbed ‘Cosiloon’, is installed on many devices that are not certified by Google.

The Colisoon adware uses an overlay to display ads over webpages in a users’ browser. The malware family is old, however it is still very much active and constantly updated with new payloads.

The researchers suspect that the latest version of the adware has been included on at least 18,000 Avast users’ devices. Those users are located in more than 100 countries.

The overlay popups have rate limiting to control how often they are displayed, while the full screen advertisement also includes a check that allows it to display solely over the current default web browser.

While Google is mitigating the malicious app on several device models and Google Play Protect has been updated, Avast researchers say the problem is actually much more complex.

The adware usually comes pre-installed with the firmware and uses strong obfuscation techniques, which makes it difficult to remove.

“Google has reached out to the firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue,” Bocek and Chrysaidos explain.

When the researchers analysed the adware samples, they discovered that there was no specific point of infection and had similar package names, including com.google.eMediaService, com.google.eMusic1Service, com.google.ePlay3Service, and com.google.eVideo2Service.

They tracked the packages down to a payload from a system application that was preinstalled by the manufacturer on various devices.

“Detecting the dropper is further complicated by the fact that it is a system app, part of the devices’ read-only firmware, which is integrated in the device shipped from the factory,” they state.

The earliest dropper sample was from 2015 and preinstalled on a budget tablet sold in Poland. Dating from some other samples go back as far as 2013.

Researchers say they have tried to disable the Colisoon command and control server by requesting takedowns, however it keeps popping up again.

“This adware family also has many variants of both payloads and droppers, indicating continuous development.”

The researchers not that so far the dropper only installs adware, but it could also be used to download other malware including spyware and ransomware.

 “Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting. If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.”

Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the "disable" button on the app's page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.”

Story image
COVID-19 related email threats pose huge risk in 2020
According to the company’s annual mid-year roundup report, Trend Micro blocked 8.8 million COVID-19 related threats, nearly 92% of which were email-based.More
Story image
Radware issues security alert, warning of global rise of DDoS-for-hire
Efforts from corporations, law enforcement and independent researchers around the world have attempted in the last two years to curb this growth – but the industry keeps growing says Radware information security researcher Daniel Smith.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
Zero trust is the way to secure the distributed workforce - Empired
Existing security solutions need to evolve to accommodate the new remote workforce.More