Even if you’re careful about avoiding sketchy websites and apps, there’s nothing you can do if your smartphone has malware built in. That’s actually the case with hundreds of different smartphones, according to Avast Thread Labs. The researchers found adware installed on devices not certified by Google from manufacturers like ZTE, Archos and myPhone. Users with affected phones will see popup ads and other annoying problems, and because the adware is installed on a firmware level, it’s incredibly difficult to remove.
This isn’t the first time we’ve seen bad apps pre-installed, as Lenovo famously shipped the “Superfish” malware with brand new PCs. It’s one of the bigger scandals related to malware installed on Android devices, however.
There are a couple of different variants of the Android malware APKs, but they work much the same.The infected apps, called droppers, are installed in a hidden way in a list of system applications in the settings. First, they download a small file called a manifest that tells the app what to download. Then, it downloads and installs an APK from an URL found in the manifest, and installs it. Finally, it starts the payload service.
The payload APK contains Google, Facebook and Baidu ad frameworks. It is able to detect any antivirus software, and will “hold back any suspicious actions in this case,” said Avast. If not, it will show popup ads for sketchy games while you surf on your default browser. That is already a big nuisance, but could get a lot worse if you actually installed any of the games.
The top countries affected are Russia, Italy, Germany, the UK and France. Avast managed to disable the dropper server via takedown requests, but it was quickly restored using another provider. The adware servers are still operating, and lots of users have complained about it, the company notes.
Avast contacted Google, which “has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques,” said the company. Specifically, Google Play Protect should automatically disable the dropper and the payload, if it’s available.
Curled from Engadget