Malware Found in the Firmware of 141 Low-Cost Android Devices

Posted on May 25, 2018

Malware Found in the Firmware of 141 Low-Cost Android Devices

News of this group first surfaced after a report in December 2016, when Russian antivirus vendor Dr.Web disclosed that a mysterious threat actor had found a way to penetrate the supply-chain of several mobile carriers, infecting phones with malware. At the time, experts said they found malware in the firmware of at least 26 low-cost Android smartphone and tablets models. Once ousted, Dr.Web hoped crooks would pack up and move on to another operation.

But in a report released yesterday, cyber-security firm Avast says the group has never ceased operations and has continued to poison the firmware of more and more devices, growing their operation many times over. Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon. Comparing the Dr.Web and Avast reports, the malware doesn’t seem to have received any updates and still operates in the same manner.

It runs from the ‘/system’ folder with full root rights, and its main role is to connect to a remote server, download an XML file, and then install one or more apps mentioned in this document. Because the malware ships as a firmware component, it can easily grab any app crooks tell it to and install it without any user interaction. In almost all cases, the apps the malware installs are used solely to display ads on top of other apps or the Android interface itself.

Many Android users have been noticing the ads [1, 2, 3]. Below are a few examples of the types of popups owners of affected devices usually see are below: