Pre-installed malware is definitely not one of the reasons why you bought your current Android smartphone or tablet. However, if you own a variety of ZTE, Archos and myPhone devices, you also have malware on board.
The message comes from Avast, which has found an adware type of malware that simply loads ads in your browser. It's not the most nefarious attack you can find on a smartphone, but without a fix, a sledgehammer, it's certainly the most stubborn.
Avast has named these manufacturers in an announcement that most devices are not certified by Google. Several hundred models are affected, but most of them are tablets. And most of them are powered by MediaTek chips.
The name of the adware is called Cosiloon, and what it does is to create an ad about the webpage that you may be loading into your browser. The adware has been active and seemingly difficult to remove for about three years as it is installed at the firmware level and uses "heavy obfuscation".
Avast identified about 1
Google also became Informs about the problems, and it works to mitigate the problems, but even Google can not handle the apps as long as they are preinstalled on the devices. Google has apparently addressed developers to raise this issue.
Avast discovered these "dropper" apps in the file system of apps preinstalled on a device. This variant is a passive app that appears in the list of system applications under Settings. These droppers can download a manifest from specific servers, which includes further instructions for downloading on the phone.
The dropper downloads a second app APK and installs it in the device. Users can not uninstall Dropper because they are built into the firmware.
A second dropper version is embedded in the SystemUI.apk, which is part of the Android operating system and therefore even harder to remove] The payload that Tropfer can install is obviously "heavily obfuscated and very complex". He can even tell if he's being used in an antivirus emulator, and in that case he'll hold back his actions. If necessary, it can update itself by retrieving the appropriate files from a server.
When enabled, the payload will deliver ads to various apps and games. Needless to say, you should not click on any of these ads (see examples in the screenshots above).
Avast says that it can detect and uninstall the payload, but it can not do anything against the dropper operating in the system. If you want to know more about his results, read this link. A list of affected devices can be found here.