Backdoored Android phones, TVs used for ad fraud – and worse!

A key monetization mechanism of a sophisticated series of cybercriminal operations involving backdoored off-brand mobile and CTV Android devices has been disrupted, Human Security has announced.

The company’s Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.

Badbox and Peachpit

Dubbed Badbox by the researchers, the scheme utilizes Triada malware, first uncovered in 2016, as a “backdoor” on physical devices such as CTV boxes, smartphones, and tablets running Android.

Off-brand, Badbox-infected devices analyzed by the researchers (Source: Human)

The malware is installed during the supply chain process in China, before the devices are packaged and shipped.

Badbox-infected devices are able to steal personally identifiable information, establish residential proxy exit peers, steal one-time passwords, create fake messaging (WhatsApp) and email (Gmail) accounts, and other unique fraud schemes.

In November 2022, Human’s researchers uncovered an “ad fraud module” of Badbox, hiding ads where users couldn’t see them and faking clicks on those ads to defraud the advertisers and advertising technology ecosystem.

In addition to the Badbox ad fraud module, the Satori team also found a group of Android, iOS, and CTV apps committing similar fraud, independent of the backdoored Badbox devices. These apps, dubbed Peachpit, accounted for an average of four billion ad requests a day.

Disrupting fraudulent schemes

“The Badbox scheme is an incredibly sophisticated operation, and it demonstrates how criminals use distributed supply chains to amplify their schemes on unsuspecting consumers who purchase devices from trusted e-commerce platforms and retailers,” said Gavin Reid, CISO of Human.

“This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised. Of the devices Human acquired from online retailers, 80 percent were infected with Badbox, which demonstrates how broadly they were circulating on the market.”

Human Security worked with Google and Apple to disrupt the Peachpit operation. Human has also shared information about the facilities at which some Badbox-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the Peachpit operation.

What can you do?

At its peak, Peachpit-associated apps appeared on 121,000 Android devices and 159,000 iOS devices in 227 countries and territories. The collection of 39 Android, iOS, and CTV-centric apps impacted by the scheme were installed more than 15 million times before the apps were taken down.

No iOS devices were themselves impacted by the Badbox backdoor; they were targeted only by the Peachpit ad fraud attack through malicious apps. The off-brand devices discovered to be infected were not Play Protect certified Android devices.

Unfortunately, Badbox-infected devices are fundamentally unfixable by the average user as the malware used to deploy the backdoor connects with a command-and-control server on booting up for the first time. Restoring the device to factory defaults will not help.

The report Human published lists the malicious Android and iOS Peachpit application bundles. Users who have installed one or more of them are advised to uninstall them.

“Peachpit has been disrupted, while the other components of Badbox are dormant. Many—possibly all—of the C2s associated with the Badbox campaign have been taken down by the threat actors,” the researchers said.

“This should not be construed as ‘over’, though; the Satori team believes the threat actors behind Badbox are simply reconfiguring their schemes to try to find a new way forward.