The thought of your smartphone being affected by malware itself is terrifying and therefore to protect your personal data lots of OEMs try to protect you from it by implementing enhanced security features. But looks like some companies are injecting malware themselves.

Avast (antivirus company) found out that low-cost, non-Google-certifed android phones from ZTE, Archos and myPhone are shipped with malware as a system application. This malware is called Cosiloon, it overlays ads on your smartphone and might trick you into downloading some applications.

This malware app is referred as dropper, this is the official explanation by Avast. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess’. The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

As the dropper APK comes with the firmware, it is hard for antivirus apps to detect, and it cannot be removed. Antivirus apps will detect the payload, however, once antivirus removes it, the dropper will again do its job and re-download the payload”-Avast stated. According to Avast, users in over 90 countries are affected. The top ten over the last month are Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania. And the affected devices usually sport a Mediatek chipset and are mostly low cost tablets. The list, including the most affected devices, can be found here.

If your device is one of the affected once you can follow these instructions provided by Avast. “Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.”

Leave a Reply