Security experts discovered a dangerous malicious instance in Android devices. Yesterday one of the major anti-virus vendors announced that they have found that over 140 cheap Android devices that are being sold to customers include a threat known as the Cosiloon Virus.
Cosiloon Android Virus Discovery
An alarming discovery was announced yesterday by Avast Labs of a malicious instances that has been discovered in cheap devices. The associated code is pre-installed on devices offered by various vendors, additionally many of them are not certified by Google. Still they are being sold in many stores both physical and online and to this date there an estimate of the total affected victims cannot be made. A notable characteristic of the Cosiloon is the fact that it has remained hidden for a very long period of time. It was initially discovered in 2016 and the recently detected strains feature slightly updated code. According to the researchers the newer version of the threat impacts around 18 000 devices in more than 100 countries.
Ever since the malware was discovered the affected devices and detailed information was reported Google. They are actively taking steps into mitigating the virus’s spread using the Google Play Protect. Their actions will help remove infected code that has been able to infiltrate apps on the software repository. However actual mitigation and effective removal is difficult due to the fact that the threat comes pre-installed. Google has reached out to firmware developers in order to raise awareness about the issue.
NOTE: A partial list of the affected devices can be accessed here.
The Cosiloon Android Virus Overview
The Cosiloon Android Virus infections feature a complex behaviour pattern that is initiated once the virus code is activated. The dangerous characteristic of Cosiloon is the fact that it does not have a point of infection, the virus comes pre-installed out-of-the-box. It appears that the packages found on the Google Play Store share similar names, some of the most common ones include the following:
- com.google.eMediaService
- com.google.eMusic1Service
- com.google.ePlay3Service
- com.google.eVideo2Service
The virus files are part of the device’s firmware code and use strong obfuscation and stealth protection techniques that protect them from discovery and removal. As such they are rated as critical due to the severity. One of the virus strains has been found to feature suspicious behavior and this has triggered the security analysis that has ultimately lead to Cosiloon’s discovery.
It appears that the instance is an old sample from January 2015 that was discovered on a budget tablet offering. The dates on the files inside of the package range from 2013 to 2016 which signals that the threat is not a new offering.
The Cosiloon Android virus has since then been found to feature many payloads. It has many variants and has been found to be continuously updated by its operators. The command and control servers used to control the infected machines are still active and continue to spread updated code.
Cosiloon Android Virus Infection Behaviour
The Cosiloon Android virus consists of two separate packages (APKs) — the dropper and the actual payload. Older versions of it have been found to feature a separate adware application installed in the system partition.
The older variant of the dropper, also known as Dropper variant A. It is a small-sized application that does not feature any obfuscation and is completely passive. It is listed in the system applications under various names: “CrashService”, “ImeMess” and others. There are several versions of this type that all follow the same infection algorithms:
- Manifest Download — A manifest file is downloaded from hacker servers. The file may have different names and contain information about the malicious actions that are to be performed. The analysts found out that there are both white and black lists which can be used in advanced campaigns. The security experts are tracking ongoing changes in the manifest file as they happen.
- Installation — The dropper file retrieves the malicious payload from the provided links. Afterwards it is placed in a predefined download folder and installed on the target system using a standard operating system command.
- Payload Service Launch — The manifest file adheres to the startup entries and are used to start the payload service. This is used to set up a persistent threat behavior which launches the virus file every time the device is started. The dropper itself is designed as a system application which is an integral part of the devices firmware code and cannot be removed by the users.
The second variant is known as the Dropper Variant B and features a similar code however it does not contain a separate system application. The dropper code itself is embedded in one of the main parts of the Android operating system — the user interface (SystemUI.apk). This makes the droper file almost impossible to remove by the user. This package includes the implemented user interface, status, notification, bar, lockscreen instances and etc. The collected samples were found to contain the following hidden virus packages:
- com.android.keyguard.KeyStateBroad
- com.android.keyguard.KeyManager
- com.android.keyguard.KeyguardService
- com.android.keyguard.KeyguardReceiver
This dropper type features a separate manifest file which allows for various options to be triggered: installation of additional package files, private data hijacking and etc.
Cosiloon Android Virus Operations
There are hundreds of payload versions that appear to be based on the Cosiloon Android virus code. The payload is obfuscated heavily which makes it difficult to analyze. The payload files contains encoded ad framework engines that feature Google, Baidu and Facebook engines. Like other advanced threats a specialist stealth protection is included. It can detect security software that can interfere with the malicious code execution. Examples of such products includes anti-virus software, sandbox environments and virtual machine hosts. Updated payload code has been found to be able to download additional override signatures from the command and control servers.
The payload is active only when the dropper instance is present and active. Depending on the exact configuration it can trigger various effects on the target computers. It appears that one of the main actions is the spread of intrusive pop-ups, advertisements and aggressive overlays. Through the version updates the virus behavior has shifted from presenting ads on top of the browser or setting up overlays that are drawn over all active applications. The majority of the payloads do not feature any user-facing entry points and cannot be controlled in any way by the users.
There are various fake names that the application appears in the system’s menu: “MediaService”, “eVideo2Service”, and “VPlayer” are some of the examples. One of the newest updates shifted to the “Google++” name and appears to be an interim release before the next major version is released.
There are certain execution barring mechanisms that can be enabled if configured so:
- Number of installed applications
- Language & Regional Settings
- Device Model
- Location
We anticipate that future versions can be used to spread ransomware or cryptocurrency miners, as well as other advanced threats to the infected devices.
Cosiloon Android Virus Impact
All of this shows that there are very serious consequences if an active Cosiloon virus infection. The malicious code can change dynamically as the infection progresses and it is not known how future versions will be updated. The fact that the initial releases were discovered years ago and the manufacturers continued to ship infected devices shows that there is a widespread disregard for security.
The security experts have attempted to mitigate the virus connections by sending take down requests to the various Internet service providers and domain registrars. At this point no all contacted services have responded.
The security analysts note that current versions of anti-virus products can successfully detect the signatures associated with the virus family however they cannot acquire the required permissions in order to disable the droppers. This can only be achieved by implementing the signatures in the Google Play Protect service. Google is actively working with the community in order to respond to ongoing malware development.
NOTE: Some variants can be manually disabled by looking out for the following applications in the applications menu: “CrashService”, “ImeMess” or “Terminal”. The victims can click on the “disable” option which should terminate the dropper’s activity and allow mobile anti-virus software to remove the virus instance.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: