Thousands of Android TV devices with unremovable backdoors

Thousands of Android TV devices have been found pre-installed with unremovable backdoors

Thousands of Android TV devices have been found pre-installed with unremovable backdoors.

When you purchase a streaming TV box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly implant malicious software, nor should it immediately start communicating with servers in China.

It definitely shouldn’t serve as a node in an organized crime scheme, raking in millions through fraud.

However, for the unsuspecting owners of thousands of budget Android TV devices, this is the harsh reality.

Thousands of Android TV devices have been found pre-installed with unremovable backdoors.

Thousands of Android TV devices have been found pre-installed with unremovable backdoors.

In January of this year, security researcher Daniel Milisic discovered that a budget Android TV streaming box named T95 was infected with malware right out of the box, a finding corroborated by several other researchers. But this was just the tip of the iceberg.

This week, cybersecurity company Human Security disclosed new details about the scope of infected devices and a hidden, interconnected network of fraudulent schemes related to streaming boxes.

Researchers at Human Security found that seven Android TV boxes and one tablet had backdoors installed, and they identified around 200 different models of Android devices that could potentially be affected.

These devices are scattered in households, businesses, and schools across the United States. Additionally, Human Security reported uncovering advertising fraud activities associated with this scheme, which likely contribute to funding the operation.

Gavin Reid, CISO of Human Security, stated, “They’re like a Swiss Army knife doing bad things on the internet. This is a truly distributed fraud operation.” Reid mentioned that the company has shared detailed information about facilities that may be involved in manufacturing these devices with law enforcement agencies.

Human Security’s research is divided into two areas: Badbox, which involves compromised Android devices and their involvement in fraud and cybercrime, and Peachpit, a related advertising fraud operation involving at least 39 Android and iOS applications. Google confirmed the removal of these applications from its platform following Human Security’s research, while Apple reported finding issues in several applications reported to them.

First, let’s delve into Badbox. Budget Android streaming boxes typically sell for less than $50 and are available both online and in physical stores. These set-top boxes often lack branding or are sold under different names, obscuring their origins. Human Security revealed in its report that in the second half of 2022, its researchers identified an Android application that appeared to be associated with fraudulent traffic and was linked to the domain flyermobi.com. This domain was also implicated in Milisic’s preliminary findings on the T95 Android box in January. Human Security’s team purchased this box and several others, launching an in-depth investigation.

Researchers ultimately confirmed the presence of backdoors in eight devices: seven TV boxes, including T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and one tablet, J5-W. (In recent months, some other security researchers have also discovered issues with some of these.) The company’s report, authored primarily by data scientist Marion Habiby, stated that Human Security found signs of Badbox infection in at least 74,000 Android devices globally, including some in American schools.

These TV devices are manufactured in China, and researchers are uncertain at what point during their journey to resellers the firmware backdoors were added. This backdoor is based on the Triada malware, first discovered by the security company Kaspersky in 2016, which alters an element of the Android operating system to grant access to installed applications. Afterward, it phones home. Reid explained, “Unbeknownst to the user, when you plug this thing in, it phones home to a command and control (C2) system in China, downloads instructions, and starts doing bad things.”

Human Security has tracked various types of fraudulent activities related to the compromised devices. These include ad fraud; residential proxy services, where underground groups sell access to home network connections; the creation of fake Gmail and WhatsApp accounts using connections; and remote code installation. The company’s report states that these underground actors claim to commercially sell access to home networks, asserting access to over 10 million home IP addresses and 7 million mobile IP addresses.

These findings align with those of other researchers and ongoing investigations. Fyodor Yarochkin, a senior threat researcher at Trend Micro, said his company found two Chinese threat groups using the backdoored Android devices—one they have extensively studied and another investigated by Human Security. “The infection patterns of the devices are very similar,” Yarochkin said.

Trend Micro traced the organization responsible in China to a “front company.” He said, “They claimed they had over 20 million infected devices globally, with as many as 2 million devices online at any given time. According to Trend Micro’s network data, these numbers appear credible.” Yarochkin noted that even a tablet in a European museum was found to be affected, suggesting widespread impacts on Android systems, including those in cars, which could easily infiltrate the supply chain and go unnoticed by manufacturers.

Then there’s what Human Security calls Peachpit, a mobile application-based fraud operation found on TV boxes, Android phones, and iPhones. The company identified 39 Android, iOS, and TV box applications involved. Joao Santos, a security researcher at the company, said, “These are template-based applications of relatively low quality.”

These applications carry out a range of fraudulent activities, including hiding ads, deceiving internet traffic, and displaying malicious ads. While the actors behind Peachpit appear different from those behind Badbox, they likely collaborate in some way. Santos explained, “They have an SDK for ad fraud, and we found a version of this SDK with a module name that matches what was being delivered on Badbox.” He referred to a software development kit. “That’s another layer of connection we found.”

Human Security’s research revealed that the implicated ads generated 4 billion ad requests daily, impacting 121,000 Android devices and 159,000 iOS devices. According to the researchers’ calculations, the total downloads for Android applications reached 15 million. Based on the data the company has, which is not comprehensive due to the complexity of the advertising industry, these actors could easily earn $2 million within a month.

Google spokesperson Ed Fernandez confirmed that 20 Android applications mentioned in Human Security’s report were removed from the Play Store. Fernandez stated, “Non-branded devices found infected with Badbox are not certified Android devices through Play Protect,” referring to Google’s security testing system for Android devices. “Without Play Protect certification, Google has no record of security and compatibility test results.” The company maintains a list of certified Android TV partners. Apple spokesperson Archelle Thelemaque said that Apple found five of the applications mentioned in the Human report to violate its guidelines and gave the developers 14 days to comply. As of the time of writing, four of them have done so.

Reid mentioned that Human Security took action against the advertising fraud activities of Badbox and Peachpit at the end of 2022 and the beginning of 2023. According to the data provided by the company, fraudulent ad requests from these schemes have now dropped to zero. However, attackers adapt in real-time. Santos explained that when countermeasures were initially deployed, the actors behind these schemes sent updates to obfuscate their actions. He stated that afterward, the actors behind Badbox took down the C2 servers that powered the firmware backdoor.

Although the attackers’ actions have slowed down, these boxes still reside in people’s homes and networks. Removing the malware is challenging unless someone possesses technical skills. “Think of these ‘Badboxes’ as sleeper cells. They’re there waiting for instructions,” Reid said. In the end, for those considering purchasing a streaming TV box, it’s recommended to opt for branded devices, as manufacturers are clear and trustworthy. After all, “friends don’t let friends plug weird IoT devices into their home networks.”

Read the full security report here: Link to the Human Security Report