Avast finds Android malware pre-installed on hundreds of phones

The AvastThreat Labs have found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE, Archos, andmyPhone.

Users with affected phones will see popup ads and other annoying problems, and because the adware is installed on a firmware level, it’s incredibly difficult to remove.

The preloaded packages spotted by Avast are a type of adware known as Cosiloon, first identified back in 2016. Technically, Cosiloon isn’t installed on the phones identified by Avast. Instead, the malware operators have integrated a “dropper” program into the firmware of devices. This app reaches out to a server and installs the payload after the phone connects to the internet.

Devices infected with Cosiloon will display ads from the Google, Facebook, and Baidu ad networks. However, they’ll do it in a supremely annoying fashion. These ads appear as overlays on top of other apps. Sometimes they’re right in the middle of the display, and other times they’re banner ads at the bottom. Because the dropper is built into the system firmware, most users will be unable to remove it.

Avast says there are hundreds of affected devices, but only 142 of them have 10 or more active users. You might recognize a few manufacturers on the list like ZTE and Archos. However, the majority are unknown white label device makers. The reason you don’t need to freak out is that almost all the infected devices are uncertified — they don’t run Google’s version of Android.