What is Consiloon?
Consiloon is an adware that creates an overlay to display an ad over a webpage within the users browser.
The adware has been active for at least three years and is difficult to remove as it is installed on the firmware level and uses strong obfuscation. Thousands of users have been affected, and throughout May alone Avast Threat Labs saw the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK and some users in the U.S.
The whole assembly consists of two separate APKs; the dropper and the payload. Older versions of the malware had a separate adware app pre-installed in the /system partition, but this approach appears to have been changes in favour of a new, dropped payload.
The dropper is a small application with no obfuscation, located on the /system partition of affected devices. The app is completely passive, only visible to the user in the list of system applications under ‘settings’. The dropper downloads a manifest from http://www.cosiloon.com/version.xml when the device is connected to Wi-Fi. The dropper then installs a payload from a URL, and then the dropper starts the payload service.
What devices are affected?
Several hundred Android devices are affected by Consiloon. The affected devices usually sport a Mediatek chipset and are mostly low cost tablets. Avast Threat Labs compiled a list of affected devices that includes devices from brands like Archos, ZTE and Prestigio. The devices run different Android versions ranging from 4.2 to 6.0.
Not all device models on the list are affected, as each model has countless firmware variants, dependent upon different countries and carriers.
According to Avast Threat Labs, users in over 90 countries are affected. The top ten countries affected throughout May have been Russia, Italy, Germany, the UK, Ukraine, Portugal, Venezuela, Greece, France and Romania.
The reach of this malware strain seems to be very wide, according to Avast Threat Labs. By searching for the app names, users can find reviews of different devices in many countries, complaining about ads showing up.
How can you protect yourself against it?
Some antivirus programs can detect and report the dropper APK that comes with the firmware. Antivirus apps will detect and remove the payload, however, once it is removed, the dropper will again do its job and re-download the payload.
Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play has to do the heavy lifting. If a users device is infected, Google Play should automatically disable both the dropper and the payload.
Users can find the dropper in their settings, named ‘CrashService’, ‘ImeMess’ or ‘Terminal’ with generic Android icons, and can click the ‘disable’ button on the app’s page, if available. This will deactivate the dropper and once Avast removes the payload, it will not return again.