If you have already purchased an Android deco or were thinking about purchasing one, you may want to think twice before spending your money. A new security study has flagged seven Android TV Boxes as a backdoor to malware, background communication with remote servers, and more.
The cybersecurity company Human Security is revealing new details about the scope of infected devices and the hidden, interconnected network of fraud schemes linked to streaming boxes, tablets and apps for iOS and Android.
Infection in Android decos
Human Security researchers found seven Android TV boxes and one tablet with backdoors installed, having seen signs of 200 different models of Android devices that may be affected.
Human Security’s research is divided into two areas: Badbox, which involves compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, called Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it removed the apps following the Human Security investigation, while Apple says it found problems in several of the apps reported to it.
As for BadBox, in total, researchers confirmed eight devices with backdoors installed: seven Android TV Boxes, T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQ Pro 5G, and one tablet, J5-W. Some of these are old acquaintances who have also been identified by other security researchers who have investigated the issue in recent months.
The investigation says Human Security detected at least 74,000 Android devices showing signs of a Badbox infection worldwide, including some in schools. This backdoor, which is based on the Triada malware first detected by the security company Kaspersky in 2016, modifies an element of the Android operating system, allowing access to the applications installed on the devices.
Then, unbeknownst to the user, when you connect one it connects to a command and control (C2) server in China, downloads a set of instructions, and starts doing a bunch of bad things.
Some examples mentioned in the security report include ad fraud; residential proxy services, where the group behind the plan sells access to your home network; the creation of fake Gmail and WhatsApp accounts using your connections and remote code installation.
In-app advertising malware
As for Peachpit, it is an element of app-based fraud, which has been present on televisions as well as Android phones and iPhones, says Human Security. The company identified 39 Android, iOS and TV Box apps that were involved. “These are template-based applications, of not very high quality,” says Joao Santos, a security researcher at the company. Some examples of infected apps were about how to build abs and recording how much water a person drinks.
The apps performed a variety of fraudulent behaviors, including hidden ads, spoofed web traffic, and malvertising. The investigation says that while those behind Peachpit appear different from those behind Badbox, they are likely working together in some way. “They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being put into Badbox,” Santos says, referring to a software development kit. “That was another level of connection we found.”
Human Security’s research says the ads involved generated 4 billion ad requests per day, with 121,000 Android devices affected and 159,000 iOS devices affected. Researchers estimate that in total 15 million Android applications have been downloaded. (The Badbox backdoor was found only on Android, not on any iOS devices.) Reid says that based on the company’s data, which is not a complete picture due to the complexity of the advertising industry, those behind the scheme could have easily made $2 million in a single month.
