Researchers at Cheetah Mobile Security Lab discovered Amazon has been selling third-party Android tablets pre-loaded with what they call a “dangerous” Trojan known at Cloudsota, likely the work of attackers in China.
More than 17,000 people have purchased the tablets, which can be commandeered by hackers through the malware, and Amazon still has the devices on its shelves, according to a blog post from CM Security Lab.
Around 30 brands, including SoftWinners, RockChip and WorryFree have been infected with the Trojan and users in more than 150 countries have felt its impact, with the U.S., Mexico and Turkey being hit especially hard.
The researchers cited user posts on XDA, TechKnow and other Android forums, as well as, on Amazon seeking help. One user on Amazon's site who goes by the handle “J Cubed” bemoaned the inability to remove the malware, saying “Even with the device rooted, I could not remove the infected.” Another user, C-B-S, wrote on the XDA forum that virus and adware in the Allwinner A23's ROM is “still there after wiping to factory settings.”
That's not surprising considering that “the Trojan is embedded in boot.img /cloudsota/CloudsService.apk [so it] is able to restore itself when a user reboots the device, meaning that it is very hard to get rid of,” the researchers said, adding that “Every time the device reboots, the code in the script init.rc will restore the Trojan.”
Upon booting up an infected tablet, the malicious code in SystemUI.apk is executed “to examine whether the malware com.clouds.server (viz., the Trojan cloudsota) has been installed in the tablet, if not, the code will try to get one, and if it fails, it will draw a big red ‘Demo' in the center of the screen,” the researchers said.
Cloudsota lets attackers remotely control infected tablets and, without the consent of the user, executes malicious activities. It installs adware or malware on the tablets as well as uninstall antivirus apps “silently.”
Cloudsota, “with root permission…is able to automatically open all installed applications,” the researchers wrote. “Furthermore, we found that the Trojan replaces the boot animation and wallpapers on some devices with advertisements.”
With Cloudsota in play, the browser's homepage is changed and search results are redirected “to strange ad pages,” according to the blog post.
By extracting code “from the Trojan links to the WHOIS information on the server of www[dot]cloudsota.com,” the researchers said, tracked the malware to a server registered in China. CM Security Lab reported the findings to Amazon. The researchers have issued a manual to guide infected users through a removal process and warned potential tablet buyers not to purchase devices “from nameless manufacturers just to save some money.”