Recently, researchers from the Cheetah Mobile Security Lab have found a dangerous Trojan, dubbed Cloudsota, pre-installed on certain Android tablets. Tablets infected with this Trojan are still on the shelves of Amazon, ready to be shipped to customers around the world.
Origin: Complaints from victims
This Trojan has existed for quite some time and victims have been consistently asking for help at Android forums like XDA, TechKnow and others.
A few complaints from customers can be found on Amazon as well.
Evil: Malicious activities of the Cloudsota
The Cloudsota Trojan enables remote control of the infected devices, and it conducts malicious activities without user consent.
The CM Security Lab has detected that Cloudsota can install adware or malware on the devices and uninstall anti-virus applications silently. With root permission, it is able to automatically open all installed applications. Furthermore, we found that the Trojan replaces the boot animation and wallpapers on some devices with advertisements. Cloudsota also changes the browser’s homepage and redirects search results to strange ad pages.
Impact: More than 153 affected countries
According to our rough estimation, at least 17,233 infected tablets have been delivered to customers hands. The estimation is based on anonymous data collected by Cheetah Mobile. Since many tablets are not protected by anti-virus applications, the number may actually be significantly greater.
What’s worse, these tablets are still available on many online stores, including the huge retailer Amazon. While most people have no idea about Cloudsota’s potential risks, it is a ticking time bomb threatening your privacy and property.
Over 30 tablet brands have been pre-loaded with this Trojan, among which the most severely affected are the no-brand tablets with Allwinner chips. Over 4000 such tablets have been sold to customers across the world.
We have notified companies involved whose products are found with pre-installed Trojans. We advised those manufacturers to investigate their system firmware carefully, but unfortunately none have responded yet. We assume that the unbranded tablet manufacturers do not pay any attention to user feedback, nor do they have the capability to offer a solution to this problem.
Over 150 countries are affected by this Trojan, with Mexico, USA and Turkey suffering the most.
A large number of customers have left comments on Amazon.com grumbling about the advertisements and popups. These tablets share some similarities that all of them are low-priced and manufactured by nameless small-scale workshops. Here is an incomplete list of the questionable tablets on Amazon. (More details please refer to the Appendix)
Decompile: Technical analysis of the Trojan:
When we discover a questionable tablet, we send a notification to Amazon explaining the issue. We are assured that Amazon can corroborate our messages with its customers complaints and reviews.
Red “Demo” on the screen
Many users reported that their tablets were locked down into demo mode, with a large red “demo” text on the screen all the time. Based on our analysis, the red “demo” is not generated by the Trojan. The source of the red demo exists in the system component package-SystemUI.apk
As soon as the device is booted, the malicious code in SystemUI.apk will be executed to examine whether the malware com.clouds.server (viz., the Trojan cloudsota) has been installed in the tablet, if not, the code will try to get one, and if it fails, it will draw a big red “Demo” in the center of the screen.
Auto restoration after reboots
Even if we remove the Trojan, it will reappear after reboot.
As the Trojan is embedded in boot.img /cloudsota/CloudsService.apk, it is able to restore itself when a user reboots the device, meaning that it is very hard to get rid of.
Every time the device reboots, the code in the script init.rc will restore the Trojan.
The code that restores the Trojan:
Block browser’s homepage
When users boot the device, Cloudsota will visit the Trojan creator’s server frequently (about every 30 minutes), in order to obtain operating commands. Commands to change the browser’s homepage are as follows:
We intercepted some data:
Install Apps silently
Similar with the homepage block, the Trojan gets a list of applications to push from the cloud server and silently installs these apps to the system directory of users’ devices. Generally, users are unable to remove them.
We obtained some information about the Trojan’s implementation:
Other detected behaviors:
The Trojan is also able to:
1. Change the boot animation of the device. (Users have to bear the annoyance of advertisements even when booting.)
2. Uninstall the applications in your device. (Mainly uninstals anti-virus apps and root tools which offer protection to your device)
3. Set your wallpaper to advertisements. (Every time you tap the home button, you will see the nasty advertisements)
4. Activate whatever applications on your device
5. Create pop-up advertisements
Knowing all the malicious activities of this Trojan, we understand why these tablets are so cheap.
Conclusion: Attackers may from China?
We have confident proof showing that attackers from China are behind Cloudsota.
1. The code we extracted from the Trojan links to the WHOIS information on the server of www.cloudsota.com. It is clear that the server is registered in Shenzhen, P.R. China.
Registry Registrant ID:
Registrant Name: QIU BIHUI
Registrant Street: xixang baoan district
Registrant City: shenzhen
Registrant State/Province: guangdong
Registrant Postal Code: 518101
Registrant Country: China
Registrant Phone: 1-368-255-2849
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: firstname.lastname@example.org
2. Much of the code is written in Chinese characters.
3. The manufacturers of tablets are from China.
Solutions and Recommendations
For infected users: We have published manual removal instructions on our blog.
For online stores: We suggest these dealers more strictly vet their product vendors.
For tablet buyers: Do not take the risk of trying tablets from nameless manufacturers just to save some money.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.