When you buy a TV streaming box, there are some things you don't expect it to do. It shouldn't be able to surreptitiously plant malware, nor should it start communicating with servers in China as soon as it boots up. It should never serve as a node in an organized crime scheme to make millions of dollars through fraud. However, for the thousands of uninformed people who own cheap Android TV devices, this is the reality.
In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, a finding confirmed by multiple other researchers. But this is just the tip of the iceberg. This week, cybersecurity firm Human Security revealed new details about the scope of infected devices and a hidden, interconnected network of fraud schemes tied to streaming boxes.
Researchers at Human Security found seven Android TV boxes and one tablet with backdoors installed, and they also discovered that 200 different models of Android devices were potentially affected. These devices are found in homes, businesses, and schools across the United States. Meanwhile, Human Security said it also uncovered ad fraud related to the scheme, which likely helped pay for the operation.
"They're like a Swiss Army knife for doing bad things on the internet," said Gavin Reid, CISO at Human Security. "It's a truly distributed form of fraud." Reid said the company has shared details with law enforcement agencies about facilities where the devices may have been manufactured.
Human Security's research is divided into two areas: Badbox, which involves compromised Android devices and the ways they can be involved in fraud and cybercrime. The second area, known as Peachpit, was a related ad fraud operation involving at least 39 Android and iOS apps. Google said it had removed the apps following research by Human Security, while Apple said it had discovered issues in several apps reported to it.
First up is Badbox. Cheap Android streaming boxes typically cost less than $50 and are available online and in stores. These set-top boxes are often unbranded or sold under different names, partially obscuring their origin. Human Security said in its report that in the second half of 2022, its researchers discovered an Android app that appeared to be connected to inauthentic traffic and connected to the flyermobi.com domain name. When Milicic released his initial findings about the T95 Android box in January this year, the research also pointed to the flyermobi domain name. The team at Humanity purchased this box and several others and began digging into it.
In total, the researchers identified eight devices with the backdoor installed - seven TV boxes, T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQPro5G, and one tablet, the J5-W. (Some of these issues have also been discovered by other security researchers in recent months). The company's report, led by data scientist Marion Habiby, said Human Security found at least 74,000 Android devices worldwide showing signs of Badbox infection, including some in U.S. schools.
These TV sets are manufactured in China. Researchers don't know exactly where a firmware backdoor was added somewhere before they reached resellers. The backdoor is based on the Triada malware first discovered by security firm Kaspersky in 2016, which modifies an element of the Android operating system to allow itself access to applications installed on the device. Then, it calls home. "Without the user knowing, when you plug this thing in, it goes into a Chinese command and control (C2) system, downloads the instruction set, and then starts doing some bad stuff," Reed said.
Human Security has tracked many types of fraud related to compromised devices. These include ad fraud; residential proxy services, where groups sell access to home networks; exploiting connections to create fake Gmail and WhatsApp accounts; and remote code installation. The company's report said the actors behind the attack were commercially selling access to residential networks, claiming they had access to more than 10 million home IP addresses and more than 7 million mobile IP addresses.
These findings are consistent with other researchers and ongoing investigations. Fyodor Yarochkin, senior threat researcher at security firm Trend Micro, said the firm has discovered two Chinese threat groups using backdoored Android devices, one it has researched in depth and another investigated by human security firms. "The infection profile of devices is very similar," Yarochkin said.
Trend Micro found a "front-end company" in China for the organization it was investigating. "They claim they have more than 20 million devices infected worldwide, with up to 2 million devices online at any one time. Based on Trend Micro's network data," Yarochkin believes those numbers are credible, he said. "There is even an affected tablet in a museum in Europe. I believe that there may be a large number of Android systems affected, including systems in cars. They can easily penetrate into the supply chain, and it is really difficult for manufacturers to detect."
There's also what Human Security calls Peachpit, an app-based fraud that appears on TV boxes as well as Android phones and iPhones. The company found 39 Android, iOS and TV box apps involved. "These are template-based applications, not of high quality," said Joao Santos, a security researcher at the company.
The apps carried out a range of deceptive practices, including hiding ads, spoofing network traffic and malvertising. While the people behind Peachpit appear to be different from those behind Badbox, it's likely they worked together in some way, the study said. "They have an SDK that's responsible for ad fraud, and we found a version of this SDK that matched the name of the module being served on Badbox," Santos said, referring to a software development kit. "That's another layer of connection we found."
According to research by Human Security, the ads involved send 4 billion ad requests every day, affecting 121,000 Android devices and 159,000 iOS devices. Researchers calculated that Android apps have been downloaded a total of 15 million times. According to data held by the company (which is not comprehensive due to the complexity of the advertising industry), the person behind the operation could easily earn $2 million in just one month.
Google spokesman Ed Fernandez confirmed that 20 Android apps reported by Human Security have been removed from the Play Store. "None of the off-brand devices found infected with Badbox were PlayProtect certified Android devices," Fernandez said, referring to Google's security testing system for Android devices. "If a device is not PlayProtect certified, Google has no record of security and compatibility testing results." The company has a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque said Apple found that five of the apps reported by Human violated Apple's guidelines and gave the developers 14 days to comply with the rules. As of press time, four of them have done this.
Reed said that in late 2022 and the first half of this year, Human Security took action against Badbox and Peachpit for ad fraud. According to data provided by the company, the number of fraudulent ad requests from these programs has now completely dropped. However, attackers adapt to this interference in real time. Santos said that when countermeasures were first deployed, those behind the attack began by sending updates to confuse the situation. The actors behind Badbox then destroyed the C2 server that powered the firmware backdoor, he said.
While the attackers' operations have slowed, the boxes are still in people's homes and online. Malware is difficult to remove unless someone has technical skills. "You can think of these 'Badboxes' as a kind of sleeper cells. They're just there waiting for a set of instructions," Reed said. Finally, for those who are buying a TV streaming box, it is recommended to buy a branded device as the manufacturer is clear and trustworthy. Because "friends won't let friends plug weird IoT devices into their home networks."
Read the full safety report:
https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf