Two years after being outted, a criminal operation that has been inserting malware in the firmware of low-cost Android devices is still up and running, and has even expanded its reach.

News of this group first surfaced after a report in December 2016, when Russian antivirus vendor Dr.Web disclosed that a mysterious threat actor had found a way to penetrate the supply-chain of several mobile carriers, infecting phones with malware.

At the time, experts said they found malware in the firmware of at least 26 low-cost Android smartphone and tablets models. Once ousted, Dr.Web hoped crooks would pack up and move on to another operation.

Crooks expand operations and infect more devices

But in a report released yesterday, cyber-security firm Avast says the group has never ceased operations and has continued to poison the firmware of more and more devices, growing their operation many times over.

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group's malware —which they named Cosiloon.

Comparing the Dr.Web and Avast reports, the malware doesn't seem to have received any updates and still operates in the same manner.

It runs from the "/system" folder with full root rights, and its main role is to connect to a remote server, download an XML file, and then install one or more apps mentioned in this document.

Because the malware ships as a firmware component, it can easily grab any app crooks tell it to and install it without any user interaction.

In almost all cases, the apps the malware installs are used solely to display ads on top of other apps or the Android interface itself. Many Android users have been noticing the ads [1, 2, 3]. Below are a few examples of the types of popups owners of affected devices usually see are below:

Crooks are obviously interested in generating revenue via ads alone, and no other shady behavior has been seen.

The only times the malware won't download additional apps is when the device's language is set to Chinese, when the device's public IP address is also from a Chinese IP range, and when the number of locally installed apps is below three (indicating a test/scan environment).

While it appears the group may be operating out of China because it avoids infecting Chinese users —hence avoid law enforcement attention—, Avast has not yet been able to fully determine this fact.

Infection point remains unknown even after two years

The cyber-security firm says it has had a hard time tracking when the malware is inserted in the firmware of these devices. There are too many mobile carriers and smartphone vendors affected to pin the blame on one of them.

Infected devices have been found in over 90 countries, and the only common component between them is that they all use a Mediatek chipset.

But MediaTek can't be blamed either, as not all devices from an affected smartphone model are infected with the malware. If one of the MediaTek firmware components would have harbored the malware, then all devices for a specific model would have been affected, not just a handful.

This means the group is opportunistic and infects devices at random, as it finds a window during which it can poison their firmware.

For now, Avast says it managed to take down the group's command-and-control server for a small period of time, but because the domain registrar hasn't intervened to invalidate the group's domain name, the group simply switched to another hosting provider.

IOCs and a breakdown of the infection process of several Cosiloon versions are available in Avast's report.