
Gremlin via Getty Images
When you buy a TV streaming box, there are some things you don’t expect from it. It should not be secretly associated with malware or initiate communication with servers in China when turned on. It certainly should not act as a node in an organized crime scheme earning millions of dollars through fraud. However, this is the reality for thousands of unsuspecting people who own inexpensive Android TV devices.
In January, security researcher Daniel Milicic found that an inexpensive Android TV streaming box called the T95 was infected with malware right out of the box, findings confirmed by several other researchers. But this was just the tip of the iceberg. This week, cybersecurity firm Human Security is revealing new details about the scope of infected devices and the hidden, interconnected web of fraud schemes tied to streaming boxes.
According to a report shared exclusively with WIRED, human security researchers found seven Android TV boxes and one tablet with backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be affected. Can. These devices are in homes, businesses, and schools across America. Meanwhile, Human Security says it has also taken down ad fraud linked to the scheme, which likely helped pay for the operation.
“They’re like a Swiss Army knife for doing bad things on the Internet,” says Gavin Reed, CISO at Human Security, who leads the company’s Satori threat intelligence and research team. “It’s really a distributed way to commit fraud.” Reed says the company has shared with law enforcement agencies details of the facilities where the devices may have been manufactured.
Research into human security is divided into two areas: Badbox, which covers compromised Android devices, and ways to engage in fraud and cybercrime. And the second, called PeachPit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it removed the apps after human security research, while Apple says it found problems with many of the reported apps.
First, Badbox. Inexpensive Android streaming boxes, which typically cost less than $50, are sold online and in brick-and-mortar stores. These set-top boxes are often non-branded or sold under different names, making their source partially obscured. Human Security said in its report that in the second half of 2022, its researchers observed an Android app that appeared to be associated with inauthentic traffic and linked to the flyermobi.com domain. When Milicic posted his initial findings about the T95 Android box in January, the research also pointed to the FlyerMobi domain. Human’s team purchased the box and several other items and started diving into it.
In total researchers confirmed eight devices with the backdoor – seven TV boxes, T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and one tablet J5-W. (Some of these have also been identified by other security researchers looking at this issue in recent months). The company’s report, whose lead author is data scientist Marion Habibi, says Human Security has observed signs of Badbox infection in at least 74,000 Android devices worldwide — including some in schools across the US.
TV equipment is manufactured in China. Before they reach the hands of resellers – researchers don’t know exactly where – a firmware backdoor is added to them. This backdoor, which is based on the Triada malware first spotted by security firm Kaspersky in 2016, modifies an element of the Android operating system, allowing it to gain access to apps installed on the device. Then it calls home. Reed says, “Without telling the user, when you plug this thing in, it goes into a command and control (C2) in China and downloads an instruction set and starts doing a lot of bad things. Does.”
Human Security tracked several types of fraud involving compromised devices. This includes ad fraud; residential proxy services, where the group behind the scheme sells access to your home network; Creating fake Gmail and WhatsApp accounts using the connection; And remote code installation. The company reported that those behind the scheme were commercially selling access to residential networks, claiming access to more than 10 million home IP addresses and 7 million mobile IP addresses.
These findings match those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at security firm Trend Micro, says the company has seen two Chinese threat groups that have used backdoored Android devices — one it has researched in depth, the other with a focus on human security. Has been given. “The transition of devices is quite similar,” says Yarochkin.
Yarochkin says he found a “front end company” for the group Trend Micro investigated in China. “They were claiming they had over 20 million devices infected worldwide, of which 2 million devices were online at any given time,” he says. Based on network data from Trend Micro, Yaroschin believes these figures are reliable. “There was a tablet in a museum somewhere in Europe,” says Yarochkin, who believes it’s possible many Android systems could have been affected, including cars. “It is easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it’s really hard to figure out.”
Then there’s what Human Security calls the peachpit. This is an app-based fraud element, Reed says, which is present on both TV boxes as well as Android phones and iPhones. The company identified 39 Android, iOS and TV box apps involved. “These are template-based applications – not very high quality,” says João Santos, a security researcher at the company. Apps included how to develop six-pack abs and logging the amount of water a person drank.
The apps engaged in a variety of fraudulent practices, including hidden ads, fake web traffic, and malware. The research states that although the people behind Peachpit appear separate from the people behind Badbox, it is likely that they are working together in some way. “They have this SDK that did ad fraud, and we found a version of this SDK that matches the name of the module left on Badbox,” Santos says, referring to a software development kit. “That was another level of connection that we found.”
Research from Human Security said the ads involved were making 4 billion ad requests per day, with 121,000 Android devices affected and 159,000 iOS devices affected. Researchers estimate that there were a total of 15 million downloads of Android apps. (The Badbox backdoor was only found on Android, not on any iOS devices.) Reed says that based on the data the company has, which is not the full picture due to the complexity of the advertising industry, the scheme behind this The guys could have easily made $2 million in a month alone.
Google spokesperson Ed Fernandez has confirmed that the 20 Android apps reported by Human Security have been removed from the Play Store. “The off-brand devices found to be Badbox-infected were not Play Protect-certified Android devices,” Fernandez says, referring to Google’s security testing system for Android devices. “If a device is not Play Protect certified, Google does not have a record of its security and compatibility testing results.” The company has a list of certified Android TV partners. Apple spokesperson Arkel Thelemake says the five apps reported by Humans were found to violate its guidelines and that developers were given 14 days to comply with the rules. As of publication, four of them have done so.
In late 2022 and the first part of this year, Human Security took action against ad fraud elements of Badbox and Peachpit, Reed says. According to data shared by the company, the plans now in place have completely reduced the volume of fraudulent ad requests. But the attackers adapted to the disruption in real time. Santos says that when the countermeasures were first implemented, the people behind the plans began sending out updates to obscure what they were doing. Then, he says, the people behind Badbox shut down the C2 servers powering the firmware backdoor.
Although the attackers have been slowed, the boxes are still in people’s homes and on their networks. And unless one has technical skills, it is very difficult to remove malware. “You can think of these bedboxes like sleeper cells. They’re just sitting there waiting for the instruction set, Reed says. Ultimately, the advice for people buying a TV streaming box is to buy a branded device, where the manufacturer is clear and trustworthy. As Reed says, “Don’t allow friends to plug strange IoT devices into your home network.”
This story originally appeared on Wired.com.