Android Devices Found Preinstalled With Adware Cosiloon

Thousands of Android devices owned by users in over 100 countries, including the U.S., Russia, Italy, Germany, the U.K., Greece, France, and Venezuela, have been found preinstalled with the adware Cosiloon (Detection name: ANDROIDOS_COUDW). The latest version of the malware was found in more than 18,000 devices. Over a hundred varying models are affected, and a majority are tablets not certified by Google. Google is aware of the issue and is working on mitigation steps for the app variants and for several device models. Device manufacturers and firmware developers have also been notified as new device models were found still carrying the adware.

Cosiloon pushes ads on webpages or apps users are accessing. The researchers who looked into the adware reported that it cannot be easily removed because it is installed at the firmware level and uses heavy and complex obfuscation. One interesting behavior is how it can detect antivirus emulation and modify activities to avoid being flagged as suspicious.

[Read: Adware downloads MEVADE/SEFNIT malware with links to ToR user spike]

While some parts of the adware are detected by antivirus applications, the researchers noticed samples that had no point of infection and had similar package names. Upon further examination, they found that the adware packages were payloads from a preinstalled system application. The earliest sample of the dropper, a malicious app that is also used to download other malicious files, was from January 2015 and had been installed in a budget tablet sold in Poland; some of the oldest Android application package (APK) files observed were dated 2013 and 2016.

The command and control (C&C) server used by Cosiloon was initially reported and shut down on April 2018, but it has been restored again using another provider. In addition, the adware has been found to undergo constant development, based on the number of variants of both its payloads and droppers. While Google Play Protect has started detecting Cosiloon in some of the devices and the dropper and the payload are automatically disabled, users are still potentially at risk of downloadable threats like ransomware and spyware.

 [Read: The fine line between ad and adware: A closer look at the MDash SDK]

Here are some steps to make sure your mobile devices are protected:

  • Avoid clicking on pop-up ads while using your browser or app.
  • Regularly download patches to ensure that your operating system or application is updated.
  • Flag suspicious application behavior so developers can analyze and address issues.

Trend Micro customers are protected with multilayered mobile security solutions via Trend Micro™ Mobile Security for Android™ (available on Google Play). Trend Micro™ Mobile Security for Enterprise solutions provide device, compliance, and application management, data protection, and configuration provisioning, as well as protect devices from attacks that exploit vulnerabilities, preventing unauthorized access to apps and detecting and blocking malware and fraudulent websites. Trend Micro™ Mobile App Reputation Service (MARS) covers threats to Android and iOS devices using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.