Cheetah Mobile, a cybersecurity company based in China, discovered that thousands of Android-powered tablets that are being sold through online retail portal Amazon are infected with trojans.
Cheetah Mobile researchers were alerted to the malware through the telemetry data coming from the company's mobile security app. When the researchers investigated the data further, they traced the infection to a Trojan that has been named Cloudsota.
In all cases of Cloudsota, users said that they bought the tablets through Amazon. In connection, the tablets all received poor reviews on the online retail portal, with many of the customers issuing complaints about apps that could not be deleted, hijacked Internet browsers and pop-up advertisements.
The malware analysts of Cheetah Mobile discovered that Cloudsota, which was pre-installed on the infected tablets, possessed boot permissions and was aggressive in boot persistence, which meant that the malware would install itself back to the tablet whenever it is removed.
Cloudsota's capabilities include installing other adware or malware into the infected tablet, removing security apps, changing the home page of an Internet browser, altering search results, changing the tablet's wallpaper, inserting advertisements in the tablet's boot animation and opening apps on demand.
Cheetah Mobile estimates that at least 17,233 tablets that are infected by Cloudsota have reached customers, with the company basing the figure on anonymous data that it collected. With many tablets not being protected by security software, Cheetah Mobile thinks that the number of infected tablets could be much higher.
In addition, the infected tablets are widely available in online stores, with over 30 brands of tablets affected. The most severely affected tablets are those with no brand but come with Allwinner chips, with over 4,000 such devices already purchased by customers. More than 150 countries are affected by Cloudsota, with Mexico, the United States and Turkey as the most compromised countries.
Cheetah Mobile has informed the companies that manufactured the tablets that come with Cloudsota regarding the pre-installed Trojan. All of the companies that manufactured the tablets are China-based.
The company also stated that it has confident proof revealing that the attackers linked to Cloudsota are from China.
Users that have infected tablets can remove Cloudsota through the instructions that Cheetah Mobile has published on its blog. Cheetah Mobile also recommends customers not to take the risk of purchasing brandless tablets to save money, as the risks involved are real.