Holiday Shopping Season Opens with New Malware Targeting Credit Cards, and Android Tablets Factory Infected with Malware By Ira Wilsker


This past few weeks have been as busy for cyber security professionals as it has been for bargain shoppers. While there have been several stories in the national and local media about shopping safety and security, cyber crooks are also well aware that that the seasonal shopping frenzy creates illicit financial opportunities for those ingenious enough to create malware to again attack our “POS” (Point of Sale) payment systems, as well as to infect popular Android tablets with malware at the time of manufacture.

It was approximately two years ago that we heard about the massive credit card data breaches at Target, Home Depot, and dozens of other major retailers. Most of those well publicized data breaches occurred because a well written piece of malware was able to infect the POS devices that most of us use at checkout to steal our debit and credit card data. While there have been many subsequent data breaches and thefts of credit card data since the massive attacks two years ago, none have reached the scope and degree of damage of the combined “Black Friday” attacks of 2013. Now, at the height of the 2015 holiday shopping season, there is some evidence that a new, more sophisticated, type of malware may be spreading through the retail channels that could repeat or surpass the sheer numbers of credit and debit card numbers stolen in the previous massive attacks. On November 24, a Dallas based cyber security company iSIGHT partners disclosed this new threat in a blog post “ModPOS: Highly-Sophisticated, Stealthy Malware Targeting US POS Systems with High Likelihood of Broader Campaigns” (

According to the iSIGHT blog posting, “The threat intelligence experts at iSIGHT Partners have analyzed the most sophisticated point-of-sale (POS) malware we have seen to date. ModPOS, which is short for modular point-of-sale (POS) system, is a comprehensive malware framework. The actors behind the ModPOS software have exhibited a very professional level of software development proficiency, creating a complex, highly functional and modular code base that places a very heavy emphasis on obfuscation and persistence. Thus, ModPOS can go undetected by numerous types of modern security defenses.” Preliminary reverse engineering of the malware code has shown that the source of the malware code is probably Eastern European in origin, and is explicitly written to not just capture the magnetic stripe data that was purloined in such large numbers in 2013 and subsequent data thefts, but to also steal the data from the newer “EMV Chip and PIN” secured credit and debit cards now coming into wide use, as they were supposed to provide greatly enhanced security. These new EMV (Europay-MasterCard-Visa) Chip and Pin credit and debit cards were designed to make it very difficult for cyber thieves to profit from stolen credit card data, as they did in the massive “Black Friday” attacks of 2013, but an in store vulnerability has again made the data vulnerable to theft. This new ModPOS malware has taken advantage of a flaw in the internal in-store processing of debit and credit transactions still using magnetic stripes as well as using the new EMV Chip and Pin cards; the processing flaw, now known to the retail industry, is that the internal processing systems utilized by many major retailers does not support end-to-end encryption, and does not also properly encrypt data in memory, allowing that credit card data to still be captured and sent to distant cyber crooks. According to iSIGHT, “Criminals can then reuse card data, even from EMV cards, to make online (card-not-present) transactions.”

This ModPOS malware can be easily modified to better target specific credit card transaction systems by integrating its own integral data upload and download utilities, “RAM scraping” (capturing unencrypted data in RAM), keyloggers (captures keypad entries, such as PIN numbers), and other highly specialized malware utilities. The malware code itself is encrypted, thus making it very difficult to detect using modern anti-malware detection software and hardware, thus allowing the malware code to burrow itself into the relevant legitimate and necessary computer software, where it is also difficult to detect and neutralize. The malware code was written to not just compromise the retail credit card processing system, but to also install itself in other software used by retailers, rendering it even much more difficult to eradicate. It is important to note that while initially encountered in retail store payment systems, it has now also been detected in the payment systems utilized in the hospitality industry including some major hotel chains and franchises, and restaurants. It is only a matter of time that ModPOS and similar highly sophisticated malware again appears to threaten our digital transaction systems.

Stay tuned, as we have yet to see if ModPOS and similar malware will in reality wreak havoc on our credit card infrastructure as its malware predecessors did in 2013. While it is still too early to know if, and to what degree, ModPOS and its malware brethren will cost us this season, we should be aware that it is out there, in the wild, targeting our retail and hospitality payment systems. As mentioned in my columns following the infamous massive data breaches of the 2013 holiday season, be absolutely sure to thoroughly check your debit and credit card statements for any questionable activity, and if any suspicious transactions are posted, contact your credit or debit card provider immediately at the phone number on the back of your card.

While in volume and potential financial costs, massive credit card breaches can do extensive damage, there still are some smaller threats appearing in our holiday purchases that many of us would find more irritating than disastrous. It seems that thousands of inexpensive, generic or “no name” Android tablets sold through Amazon and other reputable dealers, were manufactured with malware installed on the devices at the time and place of manufacture in China. There have even been some published reports that some models of major name brand Android tablets, possibly produced by the same makers that produced the infected generic tablets, were also factory infected with malware. According to a November 16 posting by Jeff Goldman on eSecurityPlanet (, “Android Tablets Sold on Amazon Infected with Cloudsota Trojan; The tablets have been sold and delivered to over 17,000 customers in more than 150 countries.” Citing a post on the Cheetah Mobile security blog which said, “Researchers at Cheetah Mobile recently found a Trojan called Cloudsota pre-installed on some Android tablets that were available for sale on and other online stores. The Cloudsota Trojan enables remote control of the infected devices, and it conducts malicious activities without user consent,” Over 30 brands of inexpensive Android tablets sold by Amazon and other online retailers were infected with this trojan. The top selling brands, which included the vast majority of the infected tablets were “No Name” (unbranded); AllWinner; SoftWinners; Advance; Rockchip; Joinet; SW; WonderMedia; RDA; Freeman; WorryFree; MID-1013D; ELVISION; and Killer. There have also been published reports of the Cloudsota Trojan being factory installed on some inexpensive, generic branded Android powered smart phones, according to Cheetah Mobile.

The Cloudsota Trojan is a revenue generating type of malware that loads advertising and other apps to the device without the users’ permission, and connects as often as every 30 minutes to a web server in China for instructions, updates, and for new apps to be transparently installed without the consent of the users. This trojan also redirects web traffic to its own browser, often blocking the browser selected by the user. Other nefarious activities of this trojan include changing the boot animation of the device to an advertisement; the uninstallation of apps installed by the user, notably antivirus and other security apps; resets the wallpaper to paid advertisements, often showing new advertising every time the “home” button is tapped; loads and runs apps on its own, even if not selected by the user; and displays popup advertisements at random times, regardless of what is being run at that time.

Reputable sellers of these 17000 infected tablets are aware of the problems, and some have offered adjustments or replacements to buyers. For owners of these trojan infected tablets, Cheetah Mobile has published “Manual removal instructions of CloudSota”, available online at The manual removal instructions require the user to connect the tablet to a PC with a common USB cable (often the same cable used to charge most Android phones). The online instructions direct the user to download a file (free) “” to the PC from Cheetah Mobile, and then follow the online instructions to permanently remove the trojan.

It is shameful that malware authors will commit criminal acts to enrich themselves by stealing our credit card data or infecting smart devices at the time of manufacture with revenue generating trojans. As stated above and in earlier columns, it is imperative that we all routinely check our credit and debit card statements for questionable transactions, and report them immediately to the card companies. While not as perilous, but extremely annoying, thousands of people receiving inexpensive Android tablets this holiday season will be in possession of devices loaded at the factory with malware. Again, contact the seller for replacement or refund, or follow the instructions above for removal of the malware, but also be aware that many of the generic manufacturers of these inexpensive tablets offer no technical support.

It is sad that what should otherwise be a happy time of year turns out to be a less than happy season, all due to the greed of unscrupulous individuals. Pity.



Leave a Comment