Some low-cost Android phones shipped with malware built in

科技动态 2018-05-25

has found that many low-cost, non-Google-certifedphones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon
, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:
The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.  The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.  The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions
to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes
that this vector is similar to the Lenovo “Superfish” exploit
that shipped thousands of computers with malware built in.


Five New Android Games for the Weekend What better way to spend the weekend if not by relaxing and playing new games on your Android mobile device from the comfort of you home. This weeken...
Warning: ESET issues alert on new mobile banking m... Android – being the biggest smartphone platform right now- is a major target for malware attacks. Just as this operating system was recovering fr...
New hacks siphon private cryptocurrency keys from ... Researchers have defeated a key protection against cryptocurrency theft with a series of attacks that transmit private keys out of digital wallets tha...
July’s Android Security Bulletin Addresses Continu... This bulletin continues the tackle the vulnerabilities in Mediaserver we’ve been discussing for the past few months. In March we mentioned that an at...
Popular software CCleaner infected with backdoor A bit of a warning, if you have download CCleaner recently, their installer was infected with malicious software. With millions of downloads last mont...