In December 2016, the antivirus manufacturer Dr.Web reported on cyber-criminals who found a way to attack a chain of deliveries of several mobile device manufacturers by infecting phones with malicious programs. Experts found malware in the firmware of at least 26 inexpensive models of smartphones and tablets based on Android.

Unfortunately, Dr.Webs report had fallen on deaf ears.  Another antivirus manufacturer; Avast, just recently published a list of more than 140 models of Android-smartphones and tablets which were infected with malicious software Cosiloon; which was identical to the original malware found by Dr. Webs report.

The program runs from the “/ system” folder with superuser privileges, and its main task is to connect to a remote server, download an XML file and install one or more applications specified in this file.

Since the malware comes as a piece of the firmware, it can install any application that the hackers need without interacting with the user. In almost all cases, applications installed by Cosiloon are used solely to display ads on top of other applications or the very interface of Android. Obviously, intruders are interested in earning income only through advertising.

Infected devices have been found in more than 90 countries, the only common aspect of the devices is the use of Mediatek chipsets.

Avast experts managed to disconnect the server of the hackers for a short time because the domain name registrar did not cancel the domain used but the hackers simply migrated to another host provider.