In December 2016, the Russian antivirus vendor, Dr. Web, revealed that various mobile carriers had been infected with malware. Dr. Web helped with finding malware in at least 26 low-cost Android smartphones and tablets and it followed a period of no such incidents. However, the incident is still happening and expanding today.
Difficulty in finding the culprit
Avast, a cyber-security firm, is having a difficult time tracking the moment when the malware is inserted in devices because there are too many affected ones. The criminal operation infects a device the second it has the opportunity to access its firmware. But Avast did manage to take down the group’s command-and-control server, but they simply infected another hosting provider until the domain registrar discredited their domain name.
The only common element found in infected devices in over 90 countries is that they all have a Mediatek chipset. However, if Mediatek was the culprit, how come just a handful of devices for a specific model harbour the malware and not all of them? It wouldn’t make sense.
More signs of malware infection
Avast released a report on May 25th mentioning that the group has continued their operation. As in Dr. Web’s reports, the malware hasn’t been updated and operates in the same way. Avast published a list of over 140 Android tablets and smartphones which have Casiloon, the group’s malware. However, there are times when the malware won’t download – when the public IP is from a Chinese IP range, the language is set to Chinese and when the apps installed internally are more than three. Avast hasn’t been able to confirm that avoiding Chinese users because of law enforcement attention is the reason for the group’s strange activity.
The group seems to be interested in generating revenues only through ads. In almost all cases, ads are displayed on the Android interface itself or on top of other apps. The malware runs from the “/system” folder to connect to a remote server, downloads an XML file and then grabs any app the group choses and installs it without any user influence.
Henry Lares is still early into his career as tech reporter but has already had his work published in many major publications including Tech Crunch and the Huffington Post. In regards to academics, Henry earned an engineering degree from Apex Technical School. Henry has a passion for emerging technology and covers upcoming products and breakthroughs in science and tech.