Security researchers from Avast recently discovered that several hundred devices ship with the Cosiloon adware pre-installed. This malware is installed as a system application, which makes it difficult for users and antivirus apps to remove the software from affected smartphones. The security firm estimates that thousands of users may have been affected by the malware, and the victims are located in more than 100 countries, including Russia, Germany, Italy, the United Kingdom, and the United States. Avast further noted that the majority of the devices infected by the malware have not been certified by Google, and some of the affected smartphones came from manufacturers like ZTE, Archos, Prestigio, and myPhone. In addition, the infected devices are usually equipped with a MediaTek chipset.
This adware consists of two key components, which are the dropper and the payload. The dropper component is categorized into two variants. The first variant is a separate application located in the system partition of the operating system, and users can see the adware component in the list of system applications in the device settings. On the other hand, the second variant is not a separate application but it is instead incorporated into the SystemUI of the operating system. Nonetheless, both variants serve the same purpose, which is to download the payload from a server and install it on the device. Meanwhile, the payload is responsible for displaying the advertisements, and it contains the necessary ad frameworks from Google, Facebook, and Baidu. There are more than a hundred different versions of the payload, and the malware incorporates features that prevent it from being detected by antivirus applications.
The security firm already communicated with Google to resolve the issue regarding the pre-installed adware. Avast noted that the search giant has started disabling the adware on a number of devices through Google Play Protect, which has the ability to disable the dropper component despite being installed as a system application. Furthermore, the security firm has also communicated with domain registrars to disable the Command and Control servers utilized by the developers of the Cosiloon adware in an effort to prevent the payload from being downloaded into the affected devices.