Some low-cost Android phones shipped with malware built in

科技动态 2018-05-25 阅读原文

has found that many low-cost, non-Google-certifedphones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon
, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:
The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.  The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.  The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions
to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes
that this vector is similar to the Lenovo “Superfish” exploit
that shipped thousands of computers with malware built in.




动态 | 卡巴斯基:新的加密挖掘恶意软件针对企业网络... 据coindesk报道,网络安全公司卡巴斯基研究室研究人员发现了一种针对多个国家公司的新型加密劫持恶意软件PowerGhost。据报道,PowerGhost是一种无文件恶意软件,使用系统的本机进程来劫持计算机,已经在印度,巴西,哥伦比亚和土...
AR硬件公司Cast被迫关闭,曾获安卓创始人1500万美元投资... 据CAstAR前员工爆料,该公司已经裁掉员工,并于昨天关门了。 据外媒报道,这家硬件制造商已经关闭了大门,并在帕洛阿尔托和盐湖城办事处裁掉了约70人。另据雷锋网调查,该公司上周就撤回所有资金,宣布公司的剩余资产将被清算,只有一批核...
SMBs Paid $301 Million to Ransomware Attackers But small- to midsized businesses are taking a tougher stand against ransomware attacks, according to a survey released ...
Apple Music 即将支持 Android Auto 有媒体发现,Apple Music 安卓版的最新一个 beta 可以支持 Android Auto 平台,此举意味着该音乐服务可能很快就可以登录谷歌车载信息娱乐系统了。 据 AP 报道,安卓版 Apple Music...
谷歌“反制”欧盟反垄断裁决,但向安卓收费或许是作茧... 谷歌正在用一种“特殊”方式回应今年7月欧盟对其开出的43.4亿欧元反垄断处罚裁决。 最新消息显示,谷歌正式向欧洲市场的安卓手机制造商收取预装应用程序的费用,并允许制造商非强制捆绑应用套餐。这一举动正式开启了向安卓设备厂商收取...