Technology
Many Android devices come with unkillable backdoor
Security researcher, Daniel Milisic, discovered a cheap Android TV streaming box called the T95 was infected with malware right out of the box. His findings were backed by other researchers as well. This week, Human Security unveiled new details of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes.
The researchers found seven Android TV boxes and one tablet with the backdoors installed, along with 200 other Android devices, an exclusive report shared with The Wire revealed. While Human Security has taken down advertising fraud linked to the scheme, these devices are still present in homes, businesses, and schools.
“They’re like a Swiss Army knife of doing bad things on the Internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.”
Reid added that the company also shared details of facilities where the devices may have been manufactured with law enforcement agencies.
The research has been divided into two areas; Badbox, involving the compromised Android devices and the ways they are involved in fraud and cybercrime, and Peachpit which is related to ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it.
Cheap Android streaming boxes, usually costing less than $50, were sold online and in brick-and-mortar shops, with no known brand. Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. The researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W.
Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US.
The devices are built in China, though it is not known where a firmware backdoor is added. “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff,” Reid says.
Multiple types of fraud were linked to the compromised devices including advertising fraud, residential proxy service, fake Gmail and WhatsApp accounts and remote code installation.
Trend Micro found a “front end company” for the group it investigated in China, Yarochkin says.
“They were claiming that they have over 20 million devices infected worldwide, with up to 2 million devices being online at any point of time,” he says. “There was a tablet in one of the museums somewhere in Europe,” Yarochkin says, adding he believes it is possible that swaths of Android systems may have been impacted, including in cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, it's really difficult to detect.”
The company identified 39 Android, iOS, and TV box apps that were involved in an app-based fraud element, called Peachpit. “These are template-based applications—not very high quality,” says Joao Santos, a security researcher at the company. Apps about developing six-pack abs and logging the amount of water a person drinks were included.
The apps not only had hidden advertisements but also spoofed web traffic and malvertising. Human Security’s research says the ads involved were making 4 billion ad requests per day, with 121,000 Android devices impacted and 159,000 iOS devices impacted. There had been 15 million downloads in total for the Android apps, the researchers calculated.
Google spokesperson Ed Fernandez confirms the 20 Android apps reported by Human Security have been removed from the Play Store. Apple spokesperson Archelle Thelemaque says that it found five of the apps Human reported breaching its guidelines, and the developers were given 14 days to make them follow the rules.
These attacks, though now much slowed, are still in people's homes with dangerous malware that is very hard to remove. “You can think of these Badboxes as kind of like sleeper cells. They're just sitting there waiting for instruction sets,” Reid says.
-
Technology8h ago
Animal behavior research is getting better at keeping observer bias from sneaking in – but there’s still room to improve
-
Technology8h ago
A look inside the cyberwar between Israel and Hamas reveals the civilian toll
-
Technology1d ago
US judge questions Google, DOJ in market power trial closing
-
Technology1d ago
Qualcomm jumps as AI sparks rebound in Chinese smartphone market
-
Technology1d ago
Boeing’s Starliner is about to launch − if successful, the test represents an important milestone for commercial spaceflight
-
Technology1d ago
Breakthrough 6G antenna could lead to high-speed communications and holograms
-
Technology2d ago
What You Need to Know About the New WhatsApp Features
-
Technology2d ago
Brain cancer in children is notoriously hard to treat – a new mRNA cancer vaccine triggers an attack from within