January 20, 2016

The past year was marked by a big number of firmware Trojans for Android capable to covertly download and install various software and display annoying advertisements. Android.Cooee.1 incorporated into the graphical shell of some cheap Chinese smartphones was one of them. Virus makers obviously continued to preinstall Android.Cooee.1 into mobile devices. This time, however, Doctor Web security researchers detected the Trojan on firmware of a well-known electronics manufacturer.

Android.Cooee.1 was found on several unpopular and inexpensive Android devices in October 2015. A new case of Android firmware being infected with this malicious application proves that cybercriminals’ activity is gradually expanding as this malware was detected on Philips s307. Doctor Web specialists informed the producer about this incident. At the moment, Philips is considering possible solutions to the problem.

Android.Cooee.1 is a malicious launcher (Android graphical shell) that, apart from its standard functions, displays annoying advertisements and downloads and installs different software. In particular, Android.Cooee.1 is capable of displaying advertisements in the status bar, in full screen, or on top of running applications. It also can show video advertisements and animation on the home screen. It should be noted that the Trojan starts performing its malicious activities not right after the first running of the system but some time later. As a result, the true source of annoying notifications stays unnoticed because an owner of an infected device believes that advertisements are shown by applications that were installed during device usage.

Considering that Android.Cooee.1 is, in fact, a system program, software downloaded by this malware is installed without user knowledge. At that, the range of the downloaded applications is extremely wide: from benign games and web browsers to various malicious programs, such as SMS and downloader Trojans, and even banking Trojans that are able to covertly steal money from users’ bank accounts.

As Android.Cooee.1 is incorporated into the firmware, you cannot get rid of the Trojan by restoring default settings of the device. One of the possible solutions is to gain root privileges. However, even if such privileges are successfully gained, removal of Android.Cooee.1 will render the device “dead”. The fact is that the launcher program, that contains the Trojan, is responsible for the normal system loading. That is why, before removing the malicious application, it is necessary to install an alternative launcher and set it as default. Moreover, if you gain root privileges, your official manufacturer’s warranty becomes invalid. Besides, there is a high risk of making the device non-operational if its firmware or system files are treated by an inexperienced user. Therefore, the safest solution for victims of Android.Cooee.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.

Obviously, if you want to safe your device, it is not enough to download applications only from trusted sources. Virus makers more and more often preinstall malware directly on Android devices that you can buy on the Internet or in a store. Thus, Doctor Web security researchers strongly recommend Android users to install a reliable anti-virus software that not only prevents penetration of malware and unwanted applications, but also detects Trojans in firmware.

Protect your Android device with Dr.Web now