Low-cost Android devices found in the secret how to install adware

File photo: 3D printed Android logo is shown in front of a cyber-code in this image is 22 March 2016. (REUTERS/dado Ruvic)

Buying a low-cost Android tablet might sound like a bargain, but it can come with a number of security risks.

According to the vendor of Avast thousands of Android devices from lesser known brands have been secretly loaded with malware that may download other nefarious code.

So far, it is just used for spreading adware. Avast saw the threat on more than 140 different Android models, most of them tablets, including products from SAMSUNG, Archos, and Rubinstein, among others.

Devices that the code is displayed annoying pop-up ads promoting the various mobile games, Avast said. But what makes the malware particularly dangerous is that it is pre-installed. A mysterious party directly embedded the problematic code in the device firmware, making it difficult to remove.

More From PCmag

  • Overwatch is Free to Play This Weekend

  • With ZTE in the Problems, Coolpad Sees a Chance

  • With Volkswagen Deal Apple’s Self-driving Car Dreams Shrink

  • StumbleUpon Ended After 16 Years


Avast speculates that the perpetrators exploited a gap in the supply chain. It is possible that a seller had the firmware software hacked, or perhaps a rogue employee secretly slipped into the malicious code during production, Avast told PCMag in an email.

The malware, called “Cosiloon,” has been active for at least three years. In December 2016, Russian antivirus company Doctor Web reported that it is embedded in the firmware of 26 smartphone models. Since then, the code has persisted, and manufacturers continue to ship.

Although Cosiloon has up to now been more of a nuisance than a security threat, Avast warns that the malware can also be used to download spyware and ransomware to the same devices.

Under Avast own customers, the adware of Cosiloon is found on the 18,000 devices located in more than 100 countries, including Russia, Italy, Germany, the united kingdom and the united states.

Google reached the firmware developers, so that they could take steps to root out malicious code from their systems. In the meantime, Google is using the built-in protection against malware on Android to prevent the adware from loading.

Avast blog post has tips for the affected users on how to remove Cosiloon of their devices. For example, the company’s mobile security app can automatically remove the adware downloads.

“Users can search for the [Cosiloon] dropper in their settings (with the name ‘CrashService’, ‘ImeMess’ or ‘Temple’ with a generic Android icon) and click on the ‘off’ button on the page with the app, if available (depending on the version of Android). This will turn off the dropper and once Avast removes the load, it will not return,” the supplier said.

A list of all the affected Android models, you can find it here. It is interesting that Cosiloon seems to be running dormant on devices based in China, suggesting that the perpetrators can be based there and wants to avoid the attention of the authorities.

This article originally appeared on

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular