Malware Found in the Firmware of 141 Low-Cost Android Devices


Malware Found in the Firmware of 141 Low-Cost Android Devices

Category : Blog

Firmware of 141 Low-Cost Android Devices holds Malware

Firmware is a software program permanently etched into a hardware device such as a keyboards, hard drive, BIOS, or video cards. It is programmed to give permanent instructions to communicate with other devices and perform functions like basic input/output tasks.

Two years after being ousted, a criminal operation that has been inserting malware in the firmware of low-cost Android devices is still up and running, and has even expanded its reach.

News of this group first surfaced after a report in December 2016, when Russian antivirus vendor Dr.Web disclosed that a mysterious threat actor had found a way to penetrate the supply-chain of several mobile carriers, infecting phones with malware.

At the time, experts said they found malware in the firmware of at least 26 low-cost Android smartphone and tablets models. Once ousted, Dr.Web hoped crooks would pack up and move on to another operation.




Crooks expand operations and infect more devices

But in a report released yesterday, cyber-security firm Avast says the group has never ceased operations and has continued to poison the firmware of more and more devices, growing their operation many times over.

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon.

Comparing the Dr.Web and Avast reports, the malware doesn’t seem to have received any updates and still operates in the same manner.

It runs from the “/system” folder with full root rights, and its main role is to connect to a remote server, download an XML file, and then install one or more apps mentioned in this document.

Because the malware ships as a firmware component, it can easily grab any app crooks tell it to and install it without any user interaction.

In almost all cases, the apps the malware installs are used solely to display ads on top of other apps or the Android interface itself.

Crooks are obviously interested in generating revenue via ads alone, and no other shady behavior has been seen. The only times the malware won’t download additional apps is when the device’s language is set to Chinese, when the device’s public IP address is also from a Chinese IP range, and when the number of locally installed apps is below three (indicating a test/scan environment).

While it appears the group may be operating out of China because it avoids infecting Chinese users —hence avoid law enforcement attention—, Avast has not yet been able to fully determine this fact.




Infection point remains unknown even after two years

The cyber-security firm says it has had a hard time tracking when the malware is inserted in the firmware of these devices. There are too many mobile carriers and smartphone vendors affected to pin the blame on one of them.

Infected devices have been found in over 90 countries, and the only common component between them is that they all use a Mediatek chipset.

But MediaTek can’t be blamed either, as not all devices from an affected smartphone model are infected with the malware. If one of the MediaTek firmware components would have harbored the malware, then all devices for a specific model would have been affected, not just a handful.

This means the group is opportunistic and infects devices at random, as it finds a window during which it can poison their firmware.

For now, Avast says it managed to take down the group’s command-and-control server for a small period of time, but because the domain registrar hasn’t intervened to invalidate the group’s domain name, the group simply switched to another hosting provider.





Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:





Leave a Reply