A new study reports that thousands of cheap, unbranded Android devices (mobile devices, smart TVs, etc.) come pre-installed with malware called Triada. The study uses the term “BADBOX” to refer to this process of infecting and spreading Android devices, and the infected devices were sold for less than $50. Researchers found more than 200 models with pre-installed malware, and when they purchased seven specific devices, they found that 80% of the devices were infected with Triada. Another operation called PEACHPIT involves malicious mobile applications.
Discover a globally understandable network of Android electronic devices
The study, titled “Trojans All the Way Down: BADBOX and PEACHPIT,” was published by American cybersecurity company Human Security. It focused on two key operations: The first is the BADBOX network, which consists of affordable Android devices that can be purchased online and in physical stores. These devices become infected with malware before they even reach the hands of the unsuspecting buyer. But the network doesn’t stop at Android TV boxes; This would extend to low-quality applications that users voluntarily install on their Android phones and iPhones.
The second operation studied by human security researchers is called “PEACHPIT.” This is a network that focuses on low-quality applications that users voluntarily install on their Android phones and iPhones. These applications are accompanied by a nasty surprise in the form of malicious code that opens a backdoor that cybercriminals can exploit. It’s a stark reminder that not everything that glitters in the App Store is real. Researchers have reported Apple and Google’s Operation PEACHPIT and said it involves at least 39 Android and iOS apps.
Google said it removed the apps after Human Security’s research, while Apple said it found problems with several of the apps reported to it. According to Human Security researchers, this network of compromised devices served as a platform for various malicious programs, including ad fraud, proxy services, remote code execution, and even illegal registration of Gmail and WhatsApp accounts. These devices can be found in homes, businesses and schools throughout Europe, the United States, etc. The true extent of the damage associated with these two operations is unknown.
Researchers have found that infected TV boxes use the Android Open Source Project (AOSP) operating system instead of the Google-certified Android TV Project. The AOSP project is open source and freely accessible. The unbranded devices infected by the BADBOX backdoor were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility testing results, says Ed Fernandez, a Google spokesman. Fernandez explained that the company has a list of certified partners for Android TV.
In total, researchers confirmed the existence of eight devices with backdoors: seven Android TV boxes (T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQ Pro 5G) and one J5-W tablet. (Some of its devices have also been identified in recent months by other security researchers studying the problem.) The Human Security report, led by data scientist Marion Habiby, said the company has at least 74,000 Android devices worldwide Signs of BADBOX infection detected. According to the researchers, the televisions in question are manufactured in China.
But before they get into the hands of resellers – researchers aren’t sure where – a firmware backdoor is added to them. This backdoor modifies an element of the Android operating system and allows it to access applications installed on devices. “When you plug this device in, it connects to a command and control center (C2) in China without the user’s knowledge, downloads a set of instructions and starts doing a whole bunch of bad things,” explains Gavin Reid, an employee of the Human Security CISO, who leads the company’s Satori Threat Intelligence and Research team.
According to the report, threat actors sold access to private networks for commercial purposes and claimed to have access to more than 10 million private IP addresses and more than 7 million mobile IP addresses. This posed a significant threat to privacy and security on the global Internet. At its peak, the PEACHPIT malware network operated on a botnet that covered 121,000 Android devices daily. As for iOS, at the peak of the PEACHPIT campaign, malicious apps used by cybercriminals were reportedly running on 159,000 Apple devices per day.
Compromised mobile devices are involved in massive ad fraud
The infected devices served more than four billion ads per day that were invisible to users. Anyone can accidentally buy a device online that is part of the BADBOX network without ever knowing it is fake, plug it in, and unknowingly open this backdoor malware. This malware can then be used to steal personal information, run hidden bots, create private proxy servers, steal cookies and one-time passwords, and carry out other unique scams, writes Human Security team member Rosemary Cipriano.
It should be noted that the T95 is a TV box that is known to contain pre-installed malware. Last January, Daniel Milisic, a Canadian cybersecurity consultant, discovered malware on the T95 TV box he purchased from Amazon. In February, researchers at Malwarebytes confirmed that this TV box had malware pre-installed. However, Amazon continues to sell the malicious T95 TV box to this day. According to Human Security’s Reid, the network is like a “Swiss Army knife for bad things on the internet.” Reid told the media it was a well-organized scam.
According to the report, while PEACHPIT’s authors appear to be different from those of BADBOX, it is likely that the two groups are collaborating in some way. They have an ad fraud SDK and we found a version of that SDK that matches the name of the module stored on BADBOX. “It’s another layer of connectivity that we found,” explains Joao Santos, security researcher at Human Security. According to the company’s researchers, the PEACHPIT scam affects both Android and iOS devices, but the BADBOX backdoor was only found on Android and not iOS devices.
The data the company has is not complete due to the complexity of the advertising industry, but Redi estimates that the perpetrators of this scheme could have easily made $2 million in a single month. Redi said that Human Security took action against the BADBOX and PEACHPIT ad fraud elements towards the end of last year and the first half of this year. According to the company, the number of fraudulent ad requests from these systems has completely decreased. But the attackers adapted to the disruption in real time.
The company explains that when the perpetrators first used the countermeasures, they first sent an update to cover their tracks. Then the BADBOX authors shut down the C2 servers that were running the firmware backdoor. These results are consistent with those of other researchers. Fyodor Yarochkin, a threat researcher at Trend Micro, says the company has seen two Chinese threat groups using hacked Android devices. According to him, one of them was the subject of detailed research, the other was investigated by Human Security.
He said Trend Micro had found a “front company” for the group he was investigating in China. Infecting devices is pretty similar. They claimed to have over 20 million infected devices worldwide, with around 2 million devices online at any time. Somewhere in Europe there was a tablet in one of the Muses, he explains. Yarochkin added that entire areas of Android systems may be affected, including in cars. He said: It is easy for them to penetrate the supply chain. And it’s really hard for manufacturers to detect.
Sources: Human Security, study report (PDF)
And you ?
What is your opinion on this topic?
What do you think about the BADBOX and PEACHPIT security threats?
What impact do you think BADBOX and PEACHPIT could have?
How can we eliminate these security threats?
See also
The Chinese smart TV manufacturer Skyworth is accused of spying on its customers’ other devices using an app pre-installed on the televisions
There’s a simple reason your new smart TV was so affordable: It collects and sells your data, a report says
Pirated streaming devices are full of malware, a new study shows
WikiLeaks: How the CIA allegedly hacked Samsung smart TVs to turn them into devices for listening in on private conversations