Researchers at Cheetah Mobile recently found a Trojan called Cloudsota pre-installed on some Android tablets that were available for sale on Amazon.com and other online stores.
“The Cloudsota Trojan enables remote control of the infected devices, and it conducts malicious activities without user consent,” the researchers wrote in a blog post detailing the threat. “The CM Security Lab has detected that Cloudsota can install adware or malware on the devices and uninstall anti-virus applications silently. With root permission, it is able to automatically open all installed applications.”
On some devices, the malware also replaces the boot animation and wallpapers with ads, changes the browser’s home page, and redirects search results to ad pages.
The researchers estimate that at least 17,233 infected tablets have been sold and delivered to customers in more than 150 countries. Over 30 different tablet brands have been pre-loaded with the Trojan.
“The tablet itself and keyboard cover are great, but it came pre-installed with Trojan.coudw.a in 2 system files, which was only detected by the Malwarebytes app. … Even with the device rooted, I could not remove the infected files,” a customer wrote in a review of one of the tablets on Amazon.
The researchers believe the attackers behind Cloudsota are based in China, as most of the code is written in Chinese characters, the malware links to a server registered in Shenzhen, and all of the infected tablets are manufactured in China.
Cheetah Mobile has instructions available here for manual removal of CloudSota.
The researchers urge online stores to vet their product vendors more strictly, and for purchasers, they advise, “Do not take the risk of trying tablets from nameless manufacturers just to save some money.”
Tripwire computer security researcher Craig Young told eSecurity Planet by email that it’s not surprising that unscrupulous vendors might try to make money on both ends from selling tablets. “On one hand, they can receive income by selling the hardware, and then on the other, they can receive potentially more money selling or misusing information stolen by hostile devices,” he said.
“Consumers should pay attention to the brands behind devices, not only due to the risk of pre-infected systems, but also for the sake of knowing that the device will be supported with Android system updates for some length of time,” Young added. “Sticking with tablets made by established manufacturers helps reduce the risk of supply chain corruption.”