‘Cosiloon’ Adware Pre-installed in Many MediaTek-Powered Android Devices: Avast

Android Malware KK

By now, it shouldn’t surprise anyone when cyber-security firms come out with reports about Android malware, but the scope and scale of the problem is still scary for the hundreds of millions of Android users around the world. Avast is the last security software-maker to have now released a report about the state of security on the world’s largest mobile platform, reinforcing just how vulnerable Android still is, in spite of all the proactive steps taken by Google to eradicate the menace.

According to Avast’s Vojtech Bocek and Nikolaos Chrysaidos, an adware named “Cosiloon” has been found to have come pre-installed on hundreds of Android devices from manufacturers like ZTE, Archos and Prestigio. All the affected devices are reportedly powered by MediaTek chips, and run different Android versions ranging from 4.2 to 6.0.

Cosiloon, claims the report, hijacks the browser to create ad overlays to display advertisements on top of a webpage in a web-browser. Devices affected by the malware are being shipped to many countries around the world, including, but not limited to, India.While it is not clear how the adware got into the devices, the researchers believe that in this case, the manufacturers were probably unaware of the problem and were not complicit.

“Thousands of users are affected and in the past month alone, Avast Threat Labs has seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries, including Russia, Italy, Germany, India, Mexico, the UK as well as some users in the US”

Cosiloon itself is not a new addition to the growing list of Android malware, but was previously described by Russian IT-security solutions vendor, Dr Web. It is said to be active for the past three years, and uses strong obfuscation to avoid detection. What’s worse is that it is extremely difficult to remove as it is installed at the firmware level.

Avast says that it has notified Google about its findings, following which, the company has “taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques”. The report further states that, “Google Play Protect has been updated to ensure there is coverage for these apps in the future”.

If you are using a device from any of the aforesaid vendors, you can check for the presence of the malware by going over to Settings and looking for entries like ‘CrashService’, ‘ImeMess’ or ‘Terminal’ with a generic Android icon. You can then tap on the ‘Disable’ button to deactivate the app, although, you won’t be able to remove it completely from your phone.

However, Avast says it’s software can effectively kill of the malware by removing its payload, following which, it will never return again. The company has also posted an extremely detailed and technical report on its blog, so in case you’re interested, you can check it out by clicking thru this link.

Comments 0
Leave a Reply