This isn’t the first time we’ve seen bad apps pre-installed, as Lenovo famously shipped the “Superfish” malware with brand new PCs. It’s one of the bigger scandals related to malware installed on Android devices, however, and might affect a lot more users.
There are a couple of different variants of the Android malware APKs, but they work on the same principal.The infected apps, called droppers, are installed in a hidden way in a list of system applications in the settings. They download a small file called a manifest that tells the app what other files to gets. It then downloads those and installs an APK from an URL found in the manifest, and uses a standard Android command to install it. Finally, it starts the payload service.
The payload APK contains Google, Facebook and Baidu ad frameworks. It is able to detect any antivirus software, and will “hold back any suspicious actions in this case,” said Avast. If not, it will show popup ads for sketchy games while you surf on your default browser. That’s already a big nuisance, but could get a lot worse if you actually installed any of the games.
The top countries affected are Russia, Italy, Germany, the UK and France. Avast managed to disable the dropper server via takedown requests, but it was quickly restored using another provider. The adware servers are still operating, and lots of users have complained about it, the company notes.
Avast contacted Google, which “has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques,” said the company. Specifically, Google Play Protect should automatically disable the dropper and the payload, if it’s available.
Another solution, of course, is to use mobile antivirus software that Avast just happens offer (or another antivirus app, we presume). That should uninstall the payload, but you’ll have to manually go into your settings to disable the dropper. For more information about how to do that, check here.