Two years after being ousted, a criminal operation that has been inserting malware in the firmware of low-cost Android devices is still up and running, and has even expanded its reach.
News of this group first surfaced after a report in December 2016, when Russian antivirus vendor Dr.Web disclosed that a mysterious threat actor had found a way to penetrate the supply-chain of several mobile carriers, infecting phones with malware.
At the time, experts said they found malware in the firmware of at least 26 low-cost Android smartphone and tablets models. Once ousted, Dr.Web hoped crooks would pack up and move on to another operation.
Crooks expand operations and infect more devices
But in a report released yesterday, cyber-security firm Avast says the group has never ceased operations and has continued to poison the firmware of more and more devices, growing their operation many times over.
Avast published a list of over 140 Android smartphones and tablets on which it says it found the group's malware —which they named Cosiloon.
Infection point remains unknown even after two years
The cyber-security firm says it has had a hard time tracking when the malware is inserted in the firmware of these devices. There are too many mobile carriers and smartphone vendors affected to pin the blame on one of them.
Infected devices have been found in over 90 countries, and the only common component between them is that they all use a Mediatek chipset.