Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday May 30 2018, @11:53PM   Printer-friendly
from the getting-more-than-you-paid-for dept.

Submitted via IRC for SoyCow3941

Avast has found that many low-cost, non-Google-certifed Android phones shipped with a strain of malware built in that could send users to download apps they didn't intend to access. The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps...

[...] The app consists of a dropper and a payload. "The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under 'settings.' We have seen the dropper with two different names, 'CrashService' and 'ImeMess,'" wrote Avast. The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. "The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we've never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK."

[...] Avast can detect and remove the payloads and they recommend following these instructions to disable the dropper. If the dropper spots antivirus software on your phone it will actually stop notifications but it will still recommend downloads as you browse in your default browser, a gateway to grabbing more (and worse) malware. Engadget notes that this vector is similar to the Lenovo “Superfish” exploit that shipped thousands of computers with malware built in.

Source: https://techcrunch.com/2018/05/24/some-low-cost-android-phones-shipped-with-malware-built-in/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday May 31 2018, @05:40AM

    by Anonymous Coward on Thursday May 31 2018, @05:40AM (#686610)

    I found this very interesting, from the Avast article:

    Furthermore, nothing is dropped if the device language is set to Chinese.

    Is this the Chinese government spying on other countries, or are the malware authors considerate of their countrymen?

    Or just another example of someone offshoring 'dirty work' to good old Cathay that they'd get prosecuted for in the West (e.g. the Freestreet Games ad shown in one of the screen dumps in the avast article is a product of a bunch of adslingers based in Cyprus who'll legitimately claim, if questioned, that in good faith they're just taking advantage of an available service, how were they to know the delivery mechanism was a bit dodgy..), as I understand it the internal Chinese market for Mobile applications etc is heavily monitored/run by the state, so the authors aren't so much 'considerate of their countrymen' but very mindful of what can happen to them if they inadvertently piss off TPTB by fecking/competing with their malware.