Badbox Operation Targets Android Devices in Fraud SchemesBadbox Operation Targets Android Devices in Fraud Schemes
Researchers believe that more than 70,000 Android devices may have been affected with preloaded Peachpit malware that was installed on the electronics before being sold at market.
October 10, 2023
After a researcher discovered that an Android-based TV streaming box, known as T95, was infected with preloaded malware, researchers at Human Security released information regarding the extent of infected devices and how malicious schemes are connected to these corrupted products.
Daniel Milisic, a systems security consultant, created a script alongside instructions to help other users mitigate the threat after first coming across the issue. Now, Human Security's threat intelligence and research team has dubbed the operation "Badbox," which it characterizes as a complex, interconnected series of ad fraud schemes on a massive scale.
Human Security describes the operation as "a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain." Once activated, the malware on the devices connect to a command-and-control (C2) server for further instructions. In tandem, a botnet known as Peachpit is integrated with Badbox, and engages in ad fraud, residential proxy services, fake email/messaging accounts, and unauthorized remote code installation.
According to the researchers at Human Security, 200 different models of Android devices are potentially affected, and at least 74,000 Android devices globally are potentially impacted by the Badbox infection. Eight different types of devices have backdoors installed: seven Android-based TV boxes — T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G — and an Android tablet, J5-W. The devices are made in China and somewhere along their supply chain, a firmware backdoor gets implemented on the devices.
The infected devices are from the Android Open Source Project (AOSP), meaning that anyone can modify the code, according to a Google spokesperson; they are not built on the official Android TV operating system for smart TVs and streaming devices, which is proprietary and open only to Google and its licensed partners for code modification. "The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results."
Google's spokesperson adds, "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified."
Human Security recommends that users avoid off-brand devices and be wary of clone apps that could potentially infect their device. In addition, users should consider restoring factory settings if a device is behaving oddly.
"While the disruption of Bandbox is a victory for the cybersecurity community, research must continue into the supply chain that allowed the threat to develop in the first place," Human Security said in its report, and added that other threat actors are poised to fill the vacuum.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
2022 Insurance Industry Cyber Threat Landscape Report