According to a report by Avast, they have discovered pre-installed malware on low-cost Android devices. The list of affected devices included products by ZTE, Archos, and Prestigio. Affected devices were not certified by Google, said the company.
More details about the malware:
According to a statement from Avast Threat Labs, the adware goes by the name ‘Cosiloon‘. It creates an overlay to display an ad over a webpage within the user’s browser. Cosiloon first came to the attention of Russian anti-malware company Dr. Web in 2016. According to the analysis by Avast, the adware is active since then because no security measures were taken from both firmware developers and device manufacturers.
According to Avast Threat Labs, it was observed from time to time some strange Android samples in its database. The samples look like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being: · com.google.eMediaService; · com.google.eMusic1Service; · com.google.ePlay3Service and · com.google.eVideo2Service
The adware forces users to look at an ad by having it pop up while browsing a site in the default web browser of the user’s phone. The ads often lead users to download malicious apps, which in turn download more apps into the user’s phone.
How to deactivate Cosiloon
Users can find the dropper in their settings (named “CrashService”, “ImeMess” or “Terminal” with generic Android icon), and can click the “disable” button on the app’s page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again.
It affected thousands of users in the past month alone. The latest version of the adware was found on around 18,000 devices belonging to Avast users located in more than 100 countries, including Russia, Italy, Germany, India, Mexico, the UK, as well as some users in the US.