Nasty trojan found in the Android OS system loader. Some Phillips s307 Android smartphones come with a pre-installed trojan (Android.Cooee.1) that shows ads and animations on the user’s main screen, and cannot be removed without a firmware update or after going through a complicated series of steps, as Dr.Web, a Russian antivirus maker, is reporting.
The adware was initially spotted in October but was only found on low-end Android smartphones from a series of unknown manufacturers.
A recent incident has brought the trojan back into Dr.Web’s attention when Android.Cooee was found in high-end smartphones manufactured by Phillips (the s307 series).
Android.Cooee in the Android OS system loader
The trojan is pre-installed on the device, right into the firmware, as the Android system loader. Removing it will render the device dead, not being able to start.
Most of the time, Android.Cooee.1 remains dormant on the device, not showing any activity. When it receives instructions from a C&C server, the trojan will display ads on the home screen, or download and silently install other applications.
Since the trojan is part of the Android system, it already has root privileges, and all these malicious applications are installed without ever needing any user interaction.
The trojan could be used to deploy more dangerous threats
“The range of the downloaded applications is extremely wide: from benign games and web browsers to various malicious programs, such as SMS and downloader Trojans, and even banking Trojans that are able to covertly steal money from users’ bank accounts,” Dr.Web’s security team explains.
Right now, Dr.Web has seen the trojan only show ads and install applications as part of a pay-per-install affiliate program that pockets the Android.Cooee author some pretty nice fees.
Users that want to remove the trojan can do it by loading and setting an alternative launcher for the Android OS. This is a complex operation that also requires root privileges. For some mobile operators, getting root privileges voids the device’s warranty, so users should avoid going through this operation if possible.
For most cases, it is recommended that users contact the phone’s manufacturer and ask for a firmware update.
Dr.Web says it contacted Phillips, who said it “is considering possible solutions to the problem.”
Pre-installed malware on Android smartphones is nothing new. Dr.Web previously discovered the Android.Backdoor.114.origin trojan on the Oysters T104 HVi 3G tablet, and G DATA found malware pre-installed on the firmware of 23 Android smartphone models.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.