Skip to main content

Some low-cost Android phones shipped with malware built in

Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn’t intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. Devices effected shipped from ZTE, Archos and myPhone.

The app consists of a dropper and a payload. “The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings.’ We have seen the dropper with two different names, ‘CrashService’ and ‘ImeMess,'” wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. “The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK.”

The dropper is part of the system’s firmware and is not easily removed.

To summarize:

The dropper can install application packages defined by the manifest downloaded via an unencrypted HTTP connection without the user’s consent or knowledge.
The dropper is preinstalled somewhere in the supply chain, by the manufacturer, OEM or carrier.
The user cannot remove the dropper, because it is a system application, part of the device’s firmware.

Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes that this vector is similar to the Lenovo “Superfish” exploit that shipped thousands of computers with malware built in.



from Mobile – TechCrunch https://ift.tt/2koNNFV

Comments

Popular posts from this blog

TalentLMS

 

The best cheap PS4 bundles, deals and prices in the November sales

Black Friday sales are coming thick and fast and with the weekend's excellent PS4 bundle deals still in stock you'll be happy to find some amazing prices on the Slim and Pro models this week - and we've rounded them up in our Black Friday PS4 deals page for you too. If you're looking for a cheap PS4 bundle deal, this week is a fantastic time to buy, with prices as low as £239 on the Slim and £290 on the Pro.  You're in for a great time too, as so many of the best PS4 games are super cheap nowadays. You've got plenty of great titles to enjoy for far less than they originally sat on store shelves for, and over the Black Friday sales you'll have more than enough opportunity to take advantage of even lower game prices.  Naturally, lots of the below PS4 bundles come with the hottest games. And yes, we've tracked down the new Limited Edition Days of Play PS4 for you too.  We're on the hunt for the lowest PS4 prices all year round, so we aren't ea...