Avast detected many low-cost and non-Google-certify Android smartphones to be ship with a built-in malware. A strain of malware built-in in the smartphones could send users to download apps they don’t want to access. The malware named as “Cosiloon”, overlays devices with advertisements over the display to promote apps and tricks the users to download them. Devices shipped from Archos, ZTE, and my phone are affected by such malware. Devices come with an app that consists of a dropper and a payload. This app exists on the system partition of such affected devices.
This app is completely hidden, which can be only seen in the list of system applications under the settings menu. According to Avast, such dropper application is seen with two different names: “ImeMess” and “CrashService”. The dropper starts functioning by connecting to a website to grab payloads that are desired by the hackers to install on the phone. The complete details about what to download, which services to run, and a whitelist to avoid infecting specific devices and devices in specific countries, are present in the XML manifest. But, in the early versions of this malware, only a few devices were whitelisted rather than the entire country. So, none of the country or device is whitelisted currently. The APK contains the code of the entire Cosiloon URL. It is not easy to remove dropper from the system as it is a part of the system’s firmware.
So, the dropper is capable to install application packages as defined by the XML manifest, which is download via an unencrypted HTTP connection. The user is unaware of the complete situation. This dropper is preinstalled by the manufacturer, OEM or carrier. So, somewhere in the supply chain, there are hackers. As this dropper is a part of the device’s firmware, the user cannot remove it.
Avast is capable to detect and remove the payloads. They also recommend some instructions to be followed to disable the dropper. As and when dropper detects antivirus on your phone, it will actually stop notifications but will continue to recommend downloads as you browse through your default browser. Your default browser becomes a gateway to getting more and worse malware to the phone. This is something similar to the Lenovo “Superfish” exploit. In this case, thousands of computers were shipped with malware built in, and same is the case here. We cannot say how many devices are shipped with the malware. But, it is sure as Avast detected phones with malware built-in.