Android devices being shipped with pre-installed malware: Avast

Thousands of Android devices including those from manufacturers like ZTE, Archos and myPhone are being shipped with pre-installed malware globally including in India, global cyber-security company Avast claimed on Friday.

A majority of these Android devices are not certified by Google and carry an adware that goes by the name "Cosiloon" and creates an overlay to display an advertisement over a webpage within the user's browser, said a report prepared by Avast Threat Labs.

The report said it has found such adware pre-installed on several hundreds of Android models.

"Thousands of users are affected and in the past month alone, Avast Threat Labs has seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries, including Russia, Italy, Germany, India, Mexico, the UK as well as some users in the US," the company said in a statement.

The adware which was previously described by Dr Web (a Russian IT-security solutions vendor) has been active for at least three years and is difficult to remove as it is installed at the firmware level and uses strong obfuscation.

The Avast Threat Labs said it was in touch with tech giant Google and the latter has taken steps to mitigate the malicious capabilities of many app variants on several models, using internally developed techniques.

Google has reached out to firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue, it added.

"Malicious apps can, unfortunately, be installed on firmware level before they are shipped to customers, probably without the manufacturer's knowledge," said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence and Security at Avast.

According to the report, it is not clear how the adware got onto the devices.

The malware authors kept updating the control server with new payloads. Manufacturers also continued to ship new devices with the pre-installed dropper.

"Some anti-virus apps report the payloads, but the dropper will install them right back again and the dropper itself can't be removed, so the device will forever have a method allowing an unknown party to install any application they want on it," the report informed.

Users can find the dropper in their settings (named "CrashService", "ImeMess" or "Terminal" with generic Android icon), and can click the "disable" button on the app's page, if available (depending on the Android version).

This will deactivate the dropper and once Avast removes the payload, it will not return again, the company said.