Security researchers have discovered adware pre-installed on over 140 low-cost Android smartphones and tablets. The malware named Cosiloon ships as a firmware component and overlaps ads on top of other apps or the Android interface in order to promote certain apps or trick users into downloading apps, Avast researchers reported.
Some of the devices affected shipped from ZTE, Archos and myPhone. Researchers noted that most of the devices affected are not certified by Google.
"The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation," researchers said in a blog post. "Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the US."
Avast has notified Google who, in turn, has "taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques." Google is also reaching out to the firmware developers about the issue as well.
Researchers said the C&C server used to control malware are still active and being updated with new payloads. After contacting CNCERT and the companies hosting the C&C server, the server was taken down on April 10, researchers said, adding that the domains are still live.
Users in over 90 countries are affected by the adware with the top ten affected countries including Russia, Italy, Germany, the UK, Ukraine, Portugal, Venezuela, Greece, France and Romania.
According to Avast, several hundred different devices are affected which usually feature a Mediatek chipset and include low cost tablets.
"The list is likely so extensive because the malware was part of a chipset platform package which is reused for many similar devices with different brand names," researchers said. "We cross-checked many, but not all of the devices, and noticed that the chipset on the devices we inspected was from MediaTek. The devices run different Android versions ranging from 4.2 to 6.0.
"Not all device models listed are affected, as each model has countless firmware variants (e.g. for different countries, and carriers) and only a few or one variation of a device might be affected, or perhaps a custom ROM version had the dropper."
Since the dropper APK comes with the firmware, it is impossible to remove and hard for antivirus software to detect. Even if they do detect the payload and remove it, the dropper once again downloads and reinstalls the payload.
"By far the most jarring fact is that Dr. Web reported on this in 2016… and yet nothing happened. The control server was live until April 2018, and the authors kept updating it with new payloads," researchers said. "We have seen the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat."