Many Android devices being shipped with pre-installed malware
Threats / Android devices being shipped with pre-installed malware, research finds
29 May 2018
Security researchers at Avast Threat Labs have revealed that many Android device manufacturers (OEMs) are shipping their brand new Android smartphones, many of which are not certified by Google, with malware and adware pre-installed, thereby affecting thousands of device users in more than 100 countries including the UK.
Research carried out by Avast Threat Labs has revealed that an adware dubbed “Cosiloon” is installed in the firmware level of many Android handsets and uses strong obfuscation which ensures that it cannot be removed easily once detected.
According to the firm, at least 18,000 Android handsets located in more than 100 countries including the United States, Russia, Italy, Germany, and the UK contain the adware but the true count of such devices could be a lot higher as the security firm has only counted devices that contain Avast’s antivirus or anti-malware solutions.
Difficult to remove the malware from devices
The complete adware assembly consists of two APKs with one being a dropper and the other being a payload. The researchers noted that the dropper is a small application with no obfuscation, is completely passive, and appears in the list of system applications under “settings”.
They added that the dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge, that the dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier, and that the user cannot remove the dropper, because it is a system application, part of the device’s firmware.
While Android handsets sold in over 90 countries, including the United States, Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania are affected by the adware, the affected devices usually sport a Mediatek chipset, run different Android versions ranging from 4.2 to 6.0, and are mostly low cost tablets and are manufactured by the likes of Archos, ZTE, and Prestigio.
Even though the presence of the adware family was detected and reported back in 2016, the control server for such malware was live until April 2018 and manufacturers continued to ship new devices with the pre-installed dropper.
“Some antivirus apps report the payloads, sure, but the dropper will install them right back again and the dropper itself can’t be removed, so the device will forever have a method allowing an unknown party to install any application they want on it. We have seen the dropper install adware on the devices, however, it could easily also download spyware, ransomware or any other type of threat,” the researchers warned.
“Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.”
They added that Google has now started taking steps to mitigate the malicious capabilities of many app variants on several device models, but a lot more needs to be done to ensure that users are protected from the malware family.
“Google Play Protect has been updated to ensure there is coverage for these apps in the future. However, as the apps come pre-installed with the firmware, the problem is difficult to address. Google has reached out to the firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue,” they said.
Passing on security updates a must for Android OEMs
The news comes not long after Google hinted that it may make it obligatory for Android device manufacturers to pass on critical security updates to their devices. This would ensure that the number of Android devices featuring the latest security updates provided by Google would rise massively in the future.
“We have a pretty steady track record for years now, every single month delivering… patches to the market. We want to make sure that all Android OEMs are delivering patches regularly to their devices as well, not just Google’s devices,” said David Kleidermacher, head of Android Security at Google at the company’s I/O Developer Conference.
He said that the requirement to pass on security updates to customers in a timely manner would be included in future OEM agreements, thereby ensuring manufacturers will be legally obligated to pass on security updates. It could also stop the spread of harmful and sophisticated malware variants that have the capability to quickly spread within the Android ecosystem and infect millions of devices in a short span of time.