Thousands of Android devices owned by users in over 100 countries, including the U.S., Russia, Italy, Germany, the U.K., Greece, France, and Venezuela, have been found preinstalled with the adware Cosiloon (Detection name: ANDROIDOS_COUDW). The latest version of the malware was found in more than 18,000 devices. Over a hundred varying models are affected, and a majority are tablets not certified by Google. Google is aware of the issue and is working on mitigation steps for the app variants and for several device models. Device manufacturers and firmware developers have also been notified as new device models were found still carrying the adware.
Cosiloon pushes ads on webpages or apps users are accessing. The researchers who looked into the adware reported that it cannot be easily removed because it is installed at the firmware level and uses heavy and complex obfuscation. One interesting behavior is how it can detect antivirus emulation and modify activities to avoid being flagged as suspicious.
While some parts of the adware are detected by antivirus applications, the researchers noticed samples that had no point of infection and had similar package names. Upon further examination, they found that the adware packages were payloads from a preinstalled system application. The earliest sample of the dropper, a malicious app that is also used to download other malicious files, was from January 2015 and had been installed in a budget tablet sold in Poland; some of the oldest Android application package (APK) files observed were dated 2013 and 2016.
The command and control (C&C) server used by Cosiloon was initially reported and shut down on April 2018, but it has been restored again using another provider. In addition, the adware has been found to undergo constant development, based on the number of variants of both its payloads and droppers. While Google Play Protect has started detecting Cosiloon in some of the devices and the dropper and the payload are automatically disabled, users are still potentially at risk of downloadable threats like ransomware and spyware.