Some Low-Cost Android Phones Shipped With Malware Built In

More than 100 different low-cost Android models from manufacturers such as ZTE, Archos, and myPhone ship with malware pre-installed, researchers at Avast Threat Labs reported on Thursday. Users in more than 90 countries, including the U.S., are affected by this, the researchers said. From a report: The malware, called called Cosiloon, overlays advertisements over the operating system in order to promote apps or even trick users into downloading apps. The app consists of a dropper and a payload. "The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under 'settings.' We have seen the dropper with two different names, 'CrashService' and 'ImeMess,'" wrote Avast.

The dropper then connects with a website to grab the payloads that the hackers wish to install on the phone. "The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. However, we've never seen the country whitelist used, and just a few devices were whitelisted in early versions. Currently, no countries or devices are whitelisted. The entire Cosiloon URL is hardcoded in the APK."

reluctant fan

[supernova87a]

Say what you will about Apple and their high prices, closed ecosystem, etc. More and more these days, I find that they are looking out for the end user -- not taking their data off the phone, protecting against malware / abusive apps (the ones that mine our data, suck up your bandwidth, etc), pushing back against law enforcement overreach, and actually have teams whose responsibility it is to keep tabs on all this.

You may get some cheap Android phone that works, but what do you give up? You don't even know till it's too late.

Re:iPhones ship with iTunes.

[Desler]

iPhones don’t ship with iTunes. iPhones also haven’t needed iTunes in years to do anything.

Re:My family has multiple ZTE phones

[pnutjam]

without root, you can pull applications out with the adb toolkit

Re:Vs. Carrier Apps

[pnutjam]

You can use the adb toolkit to pull that stuff off your phone. https://github.com/pborowicz/h...

I don't give up anything

[rsilvergun]

I just don't put sensitive information on my phone. You're still getting tracked you know, just not by google (unless you run their apps, which honestly most do).

Also Apple talks big, but they'll comply with any subpoena they get. Androids have the same levels of encryption on $200 phones. Yeah, if you go _really_ cheap you get corners cut like this, but you don't have to spend $800 (what my kid's iPhone 8 cost) just to get a modicum of security....

What is the origin

[julian67]

What is the origin of the affected devices? I never heard of myPhone but Archos and ZTE are long established companies who have established reputations by offering products with, respectively, excellent multimedia capability and relatively high end specs at relatively modest price. They don't seem like the kind of no-name companies or desperate rebranding enterprisesd who would deliberately play the malware/gouging the customer game. I haven't owned an Archos phone but I did own several of their older Android devices dedicated to video and audio playback and they definitely did not load up their custom Android versions with bloatware, scamware, adware etc. In fact they did some great stuff that Google was very bad at doing at the time (think back to Eclair, Froyo, Gingerbread era) such as really slick smb and upnp browsing and playback integration into their custom file browser and multimedia apps, support for streaming flac, ogg vorbis and so on.

I just find it hard to believe that they would risk a niche position and a decent reputation like this. Absolutely anywhere in the supply chain from the factory to the retail outlet could be the weak link, it is not necessarily the brand name/designer/enterprise who commissioned the goods.

One big same

[magarity]

manufacturers such as ZTE, Archos, and myPhone

The Chinese city of Shenzhen is for all practical purposes one giant factory with different company names over different loading dock doors. But it's all the same conglomerate inside.