Many Android devices come with unkillable backdoor

Security researcher, Daniel Milisic, discovered a cheap Android TV streaming box called the T95 was infected with malware right out of the box. His findings were backed by other researchers as well. This week, Human Security unveiled new details of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.

The researchers found seven Android TV boxes and one tablet with the backdoors installed, along with 200 other Android devices, an exclusive report shared with The Wire revealed. While Human Security has taken down advertising fraud linked to the scheme, these devices are still present in homes, businesses, and schools.

“They’re like a Swiss Army knife of doing bad things on the Internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.”

Reid added that the company also shared details of facilities where the devices may have been manufactured with law enforcement agencies.

The research has been divided into two areas; Badbox, involving the compromised Android devices and the ways they are involved in fraud and cybercrime, and Peachpit which is related to ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.

Cheap Android streaming boxes, usually costing less than $50, were sold online and in brick-and-mortar shops, with no known brand. Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. The researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W.

Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.

The devices are built in China, though it is not known where a firmware backdoor is added. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.

Multiple types of fraud were linked to the compromised devices including advertising fraud, residential proxy service, fake Gmail and WhatsApp accounts and remote code installation.

Trend Micro found a “front end company” for the group it investigated in China, Yarochkin says.

“They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”

The company identified 39 Android, iOS, and TV box apps that were involved in an app-based fraud element, called Peachpit. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.

The apps not only had hidden advertisements but also spoofed web traffic and malvertising. Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculated.

Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules.

These attacks, though now much slowed, are still in people's homes with dangerous malware that is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says.