Kaspersky Lab experts told About annoying adware that smartphone users often encounter. As it turned out, it is often pre-installed “out of the box”, and 14.8% of all users deal with “undeletable” malware that puts itself in the system partition, and attempts to get rid of it can lead to device failure.
Researchers say that they are observing two main strategies for introducing such advertising to the device: the malware receives root rights on the device and installs advertising applications in the system sections; The code responsible for displaying ads (or its loader) is contained in the device’s firmware before it even falls into the hands of the consumer.
Since the antivirus in the Android ecosystem is just an ordinary application, it physically cannot do anything with adware or malware located in system directories. This makes such a breeder a serious problem, even if we are talking only about advertising programs. The attackers behind them do not hesitate to advertise (but in fact – force to install) almost everything for which they will be paid money. As a result, any malware can appear on the user's device.
The proportion of people who encounter such advertising malware is 1–5% of the total number of users of Kaspersky Lab security solutions (depending on the specific brand). These are mainly owners of smartphones and tablets of certain brands from the lower price segment. However, for some popular manufacturers offering low-cost devices, this figure can reach up to 27%.
There are smartphones with advertising modules preinstalled by the manufacturers themselves. Some vendors honestly say that they embed advertising in the shells of their smartphones, but some at the same time leave the opportunity turn off its display, while others, on the contrary, do not give such an opportunity and call their approach a business modelto reduce the cost of the device for the end user.
At the same time, the user, as a rule, is not given a choice: to buy the device for the full price or a little cheaper, but with lifelong advertising. Moreover, in no electronics store, experts did not find a noticeable and understandable warning that after buying a phone the user will be forced to watch ads. In other words, buyers may not suspect that they buy an advertising billboard for their own money.
Meizu does not hide the fact that they show ads in their applications. It is quite unobtrusive, and you can even turn it off in the settings. However, in the preinstalled AppStore application (c4296581148a1a1a008f233d75f71821), the researchers revealed a “hidden advertisement”: it can load silently and display in invisible windows (usually this approach is used to wind up impressions), consuming traffic and battery power.
This approach is often used in frankly malicious applications that serve to issue paid subscriptions without the user's knowledge. According to analysts, it remains only to believe in the decency of the organizations that manage the advertising module, and hope that third parties will not get access to it.
Odanko AppStore is not the only suspicious application in Meizu devices. It was also noticed that Meizu Music (com.meizu.media.music 19e481d60c139af3d9881927a213ed88) contains an encrypted executable file used to download and execute a certain Ginkgo SDK.
One can only guess about the tasks of this SDK: Meizu devices do not always download it, and specialists were not able to get the latest version. However, those versions of the Ginkgo SDK that have been studied were engaged in displaying ads and installing applications without the user's knowledge.
The com.vlife.mxlock.wallpaper application (04fe069d7d638d55c796d7ec7ed794a6) also contains an encrypted executable file and ultimately carries the functions that are standard for gray advertising modules, including the possibility of hidden installation of applications.
Researchers emphasize that they contacted Meizu about the above findings, but did not receive an answer.
Unfortunately, if a user purchases a device with such a pre-installed “advertisement”, it is often impossible to remove it without the risk of system damage. It remains only to rely on enthusiasts creating alternative firmware.
Experts write that among the most common examples of adware installed in the system partition are Lezok and Triada Trojans. The second is noteworthy in that the ad code was not embedded anywhere, but directly in libandroid_runtime – the key library that is used by almost all applications on the device. Although these threats were identified several years ago, users continue to face them now.
Also, in addition to dubious files on devices of a particular vendor, the researchers found another problem affecting a huge number of smartphones. In the memory of many devices there is a file / bin / fotabinder (3fdd84b7136d5871afd170ab6dfde6ca), which can download files to user devices and execute code on them received from one of the remote servers: adsunflower (.) Com, adfuture (.) Cn or mayitek (.) com
Most likely, this file is part of an update or testing system, but the encrypted C&C addresses and functions that can provide remote access to the device look suspicious.
But all this is just the tip of the iceberg. In their report, researchers talk in detail about what users are still faced with today and in what other system applications “extra” code was discovered.