Not hundred but thousands of affordable Android smartphones from the likes of known makers such as ZTE, Archos and myPhone have been found to be shipped with pre-installed malware across several countries in the world, including India.
Global cyber-security firm Avast in a blog post claimed that a majority of the devices which have been found to be carrying adware are not certified by Google and carry an adware that called "Cosiloon". While not too severe this adware is capable of creating an overlay to display ads within a webpage on any browser.
According to a report by Engadget, removing the adware could be very difficult as it is installed on a firmware level, making it very difficult to find and then root out. As per the report, there are two separate variants of malware APK.
In the first variant, the infected apps, called droppers, are installed in a hidden way that can be viewed only under the list of system applications in the settings. These apps download a small XML file called a manifest that tells the app what other files to download. The app then downloads those and installs an APK from a list of URLs found in the manifest. It then runs a standard Android command to install it and then starts the payload service.
The second variant of the dropper works in a slightly different manner. The code here is almost the same as the first variant, but it is not a separate system application. As per Avast, this code is embedded in SystemUI.apk, an integral part of the Android OS. This makes the dropper almost impossible for the user to remove.
The payload APK also has its own set of tricks to evade detection. It is able to detect any antivirus software if you do happen to be running any and accordingly holds back any suspicious actions.
To work towards a solution, Avast has contacted Google and informed its team about the adware and Google has "taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques." Google Play Protect has also been updated to ensure it automatically disables the dropper and the payload if it's available.