- #Avast secureline vpn free 2015.apk apk#
- #Avast secureline vpn free 2015.apk install#
- #Avast secureline vpn free 2015.apk android#
- #Avast secureline vpn free 2015.apk download#
#Avast secureline vpn free 2015.apk install#
We are keeping a history of the manifest’s contents here and this is its content as of :Ĭmd = Runtime.getRuntime().exec("pm install -r " + this.mPath + "\n").getInputStream() ģ.
The manifest changed throughout time and we have several versions recorded. The entire Cosiloon URL is hardcoded in the APK. Currently, no countries or devices are whitelisted. However, we’ve never seen the country whitelist used, and just a few devices were whitelisted in early versions. The XML manifest contains information about what to download, which services to start and contains a whitelist programmed to potentially exclude specific countries and devices from infection. Right now, they all point to the same file or are broken. Different subdomains (abc, abd) and different file names (version_2.xml, version_3.xml, information.xml) are also used, presumably for debugging.
#Avast secureline vpn free 2015.apk download#
They download a manifest from when the device is connected to Wi-Fi. There are several versions in the wild, all sharing the same basic behavior:ġ. We have seen the dropper with two different names, “CrashService” and “ImeMess”. The app is completely passive, only visible to the user in the list of system applications under “settings”. The dropper is a small application with no obfuscation, located on the /system partition of affected devices. Older versions of the malware had a separate adware app pre-installed in the /system partition, but this approach appears to have been changed in favor of the new, dropped payload.
The whole assembly consists of two separate APKs the dropper and the payload. The malware family is old, not particularly stealthy, and at least parts of it are usually detected by common antivirus apps, but despite this, we are not aware of any detailed analysis that would link all the pieces together. We contacted CNCERT, as well as the companies that host the C&C server, and the server was taken down on April 10, 2018. The C&C server used to control the malware is still active and being updated with new payloads. This adware family also has many variants of both payloads and droppers, indicating continuous development.
#Avast secureline vpn free 2015.apk apk#
Moreover, the dates on the files inside the oldest APK we have are old, some dating as far back as Januand March 7, 2013. Even more surprising is that the earliest sample of the dropper, which is an app that downloads further malicious apps, we have is from January 2015 and was preinstalled on a budget tablet sold in Poland. It turns out these adware packages are just payloads dropped from a system application pre-installed by the manufacturer on a surprising amount of various devices. Recently, one of the samples topped our detection statistics after our apk.io threat intelligence platform marked it as malware, so we started digging. The samples appeared to be like any other adware sample, with the exception that the adware appeared to have no point of infection and several similar package names, the most common being:
#Avast secureline vpn free 2015.apk android#
We’ve observed strange Android samples coming into our database from time to time for a few years now. Google has reached out to the firmware developers to bring awareness to these concerns and encouraged them to take steps to address the issue. However, as the apps come pre-installed with the firmware, the problem is difficult to address. Google Play Protect has been updated to ensure there is coverage for these apps in the future. Google has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques. We are in touch with Google and they are aware of the issue. Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the U.S. The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation. Web and goes by the name “Cosiloon.” As can be seen in the screenshots below, the adware creates an overlay to display an ad over a webpage within the users’ browser. The adware we analyzed has previously been described by Dr. The majority of these devices are not certified by Google. The Avast Threat Labs has found adware pre-installed on several hundred different Android device models and versions, including devices from manufacturers like ZTE and Archos. Unfortunately, this is not always the case. When you get a brand new phone, you expect it to be clean from any malware and adware. Avast Threat Labs analyzed malware that has affected thousands of users around the worldīlog post and analysis by Vojtech Bocek and Nikolaos Chrysaidos
0 kommentar(er)
