Hundreds Of Android Smartphones Preloaded With Malware, Warns Avast

Tom Jowitt,
Android © Palto Shutterstock 2012

Smartphones from the likes of ZTE, MediaTek, Archos and Blaupunkt are preloaded with adware nastiness

Many affordable Android smartphones ship preloaded with malware out of the box, cyber security specialist Avast has warned.

The firm identified over several hundred phones from the likes ZTE, MediaTek, Archos and Blaupunkt, among others as being shipped with the Cosiloon adware, which is reportedly very difficult to remove.

This is not the first time that adware has been found on Android devices, however devices are unsually infected after installing compromised apps. This time last year for example Check Point warned of adware on 41 apps on Google Play, which had been developed by a Korean company.

Preinstalled adware

But now Avast in a blog post has warned that hundreds of cheap Android smartphones are shipped with the Cosiloon adware.

“When you get a brand new phone, you expect it to be clean from any malware and adware. Unfortunately, this is not always the case,” wrote Avast. “The Avast Threat Labs has found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE and Archos. The majority of these devices are not certified by Google.”

It said that the Cosiloon adware has previously been described by Dr. Web, and has been active for at least three years.

Essentially, the adware creates an overlay to display an ad over a webpage within the users’ browser.

Avast warned that Cosiloon “is difficult to remove as it is installed on the firmware level and uses strong obfuscation.”

“Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the US,” it wrote.

C&C takedown

“By far the most jarring fact is that Dr. Web reported on this in 2016… and yet nothing happened,” said Avast. “The control server was live until April 2018, and the authors kept updating it with new payloads.”

“We have attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers,” said Avast.

But it seems that the domain registar has not responded, so the C&C server is still active.

Shipping new devices preinstalled with cyber nastiness has happened before, most notably with PC maker Lenovo last year.

Last Spetember the Chinese firm was fined $3.5 million (£2.7m) and ordered to review its cybersecurity testing after it distributed the ‘harmful’ Superfish adware with its laptops ever since 2014.

Do you know all about security? Try our quiz!