Some low-cost Android phones shipped with malware built in

Avast has found that many low-cost , non-Google-certifed Android phones shipped with a stres of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays ads over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a warhead.” The dropper is a small application with no obfuscation, located on the/ system partition of affected devices. The app is wholly passive, only visible to the user in the list of system applications under’ puts .’ We have watched the dropper with two different names,’ CrashService’ and’ ImeMess, ‘” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone.” The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve ever seen the country whitelist use, and simply a few devices were whitelisted in early versions. Currently , no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK .”

The dropper is part of the system’s firmware and is not easily removed.

To summarize 😛 TAGEND

The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s permission or knowledge.
The dropper is preinstalled somewhere in the furnish chain, by the manufacturer, OEM or carrier.
The user cannot withdraw existing dropper, because it is a system application, part of the device’s firmware.

Avast can see and remove the warheads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your telephone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more( and worse) malware. Engadget notes that this vector is similar to the Lenovo ” Superfish” exploit that shipped thousands of computers with malware built in.

Make sure to visit:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s