Badbox Operation Targets Android Devices in Fraud Schemes

After a researcher discovered that an Android-based TV streaming box, known as T95, was infected with preloaded malware, researchers at Human Security released information regarding the extent of infected devices and how malicious schemes are connected to these corrupted products. 

Daniel Milisic, a systems security consultant, created a script alongside instructions to help other users mitigate the threat after first coming across the issue. Now, Human Security's threat intelligence and research team has dubbed the operation "Badbox," which it characterizes as a complex, interconnected series of ad fraud schemes on a massive scale.

Human Security describes the operation as "a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain." Once activated, the malware on the devices connect to a command-and-control (C2) server for further instructions. In tandem, a botnet known as Peachpit is integrated with Badbox, and engages in ad fraud, residential proxy services, fake email/messaging accounts, and unauthorized remote code installation.

According to the researchers at Human Security, 200 different models of Android devices are potentially affected, and at least 74,000 Android devices globally are potentially impacted by the Badbox infection. Eight different types of devices have backdoors installed: seven Android-based TV boxes — T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G — and an Android tablet, J5-W. The devices are made in China and somewhere along their supply chain, a firmware backdoor gets implemented on the devices.

The infected devices are from the Android Open Source Project (AOSP), meaning that anyone can modify the code, according to a Google spokesperson; they are not built on the official Android TV operating system for smart TVs and streaming devices, which is proprietary and open only to Google and its licensed partners for code modification. "The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results." 

Google's spokesperson adds, "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified."

Human Security recommends that users avoid off-brand devices and be wary of clone apps that could potentially infect their device. In addition, users should consider restoring factory settings if a device is behaving oddly.

"While the disruption of Bandbox is a victory for the cybersecurity community, research must continue into the supply chain that allowed the threat to develop in the first place," Human Security said in its report, and added that other threat actors are poised to fill the vacuum.