Android devices with pre-installed Adware

[German]Security provider Avast raises an alarm: Android devices are shipped with pre-installed malware. Thousands of users around the globe are affected by mobile adware being delivered on brand new devices.


If you buy an Android device, it is annoying if Bloatware is pre-installed in the form of apps. It becomes criminal if these apps then contain malicious code that spams the user with ads via adware.

Avast Threat Lab warns against adware

Avast Threat Lab has found pre-installed adware on nearly 1,000 different Android models, including devices from manufacturers such as ZTE, Archos and myPhone. The majority of these devices have not been certified by Google.

Adware Cosiloon

The adware named "Cosiloon" displays unwanted advertising in the browser. Thousands of users are affected; in recent months alone, Avast has detected the latest version of the adware on around 18,000 devices from users in over 100 countries – Russia leads the top 10, followed by Italy, Germany, UK, Ukraine, Portugal, Venezuela, Greece, France and Romania.

Well knows from the past

The adware was already described by experts at Dr. Web in January 2016 and has been active for at least the past three years. It is difficult to remove because it is repeatedly loaded via a so-called dropper, i.e. an app programmed to download malware to the smartphone in the background. This dropper is permanently installed at the firmware level of the smartphone and uses strong obfuscation mechanisms.

Google must react

Avast is in contact with Google, whose security experts have already taken steps to combat the harmful effects on various device models. Google uses internally developed technologies for this purpose.


In addition, Google Play Protect has been updated to ensure that these apps are recognized in the future. But after the droppers are pre-installed with the firmware, it is difficult to solve the problem. Google has also contacted the firmware developers to point out the problem and ask them to take action. 

Nothing new on Android devices

Avast has repeatedly discovered very peculiar Android malware in recent years. These copies are actually like any other adware, with the exception that it is not clear how and when it got onto the devices. The adware is available under several similar names, most of which are as follows:


It is unclear how the adware got onto the devices. The control server was continuously updated with a new payload. Manufacturers have also continued to sell new devices with the pre-installed Dropper. 

Some antivirus apps detect the malicious apps

Some antivirus apps on your phone will of course recognize the adware, but the dropper installs it immediately after removal. Moreover, the dropper itself cannot be removed – and thus the mobile phone has a permanent vulnerability that enables unknown third parties to install unwanted software. So far, Avast has only discovered that the Dropper loads adware, but it could also be spyware or blackmail software in the future.

C&C server disable unsuccessfully

Avast tried to disable the C&C Server with Cosiloon and sent requests to the domain registrar and service provider. The first provider, ZenLayser, reacted promptly and shut down the server, but some time later it was reactivated by another provider. To finally stop it, the domain through which the payload is loaded must be blocked. However, this has not yet happened despite Avast contacting the domain registrar. .

Infected without the knowledge of the manufacturer

"Unfortunately, infected apps can be installed at the firmware level before they are sold – probably without the knowledge or intervention of the vendors," said Nikolaos Chrysaidos, Head of Mobile Threat Intelligence & Security at Avast. "If an app is installed at the firmware level, it is very difficult to delete it. This requires cooperation between IT security manufacturers, Google and the OEMs. "Only together can we achieve greater security for Android users."

Avast Mobile Security detects the payload and can delete it, but it can't disable the dropper itself due to lack of access rights – Google Play Protect has to take over this task. Since Google Play Protect detected Cosiloon, the number of devices with new payloads has already declined, according to Avast Threat Lab. 

How to detect/remove the dropper

If a user finds the dropper under Settings/Apps (it has names like "CrashService", "ImeMess" or "Terminal" with a general Android icon), he can switch it off via the "Disable" button in the settings – but this does not work for every Android device. Once the dropper is disabled this way, Avast Mobile Antivirus can remove the payload forever.

Avast Mobile Security is also available for free download from the Google Play Store. Avast ( is a manufacturer of digital security products.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *