Backdoored Android phones, TVs used for ad fraud – and worse!

Human Security has announced a significant disruption to a complex cybercriminal operation that relied on backdoored off-brand Android devices, including mobile phones, tablets, and CTV boxes, as a primary monetization method. The company’s Satori Threat Intelligence and Research Team identified over 74,000 such devices exhibiting signs of infection.

Badbox and Peachpit

Referred to as “Badbox” by researchers, this operation employs the use of Triada malware, initially identified in 2016, as a “backdoor” on physical devices like CTV boxes, smartphones, and tablets that run on the Android operating system. The malware is injected into these devices during the manufacturing process in China, prior to their packaging and distribution.

Badbox-compromised devices possess the capability to pilfer personally identifiable information, establish residential proxy exit nodes, capture one-time passwords, generate counterfeit communications (e.g., WhatsApp messages), forge email accounts (such as Gmail), and execute various unique fraudulent activities. In November 2022, Human’s researchers uncovered an “ad fraud module” within Badbox, which concealed advertisements from users’ view and simulated clicks on these ads to deceive advertisers and manipulate the advertising technology ecosystem.

Furthermore, the Satori team detected a collection of Android, iOS, and CTV applications engaged in similar fraudulent activities, operating independently from the backdoored Badbox devices. These applications, known as “Peachpit,” were responsible for generating approximately four billion ad requests on a daily basis

Disrupting fraudulent schemes

Gavin Reid, Chief Information Security Officer (CISO) of Human, emphasized the high level of sophistication characterizing the Badbox scheme and its exploitation of distributed supply chains to amplify criminal activities. Unsuspecting consumers who purchase devices from reputable e-commerce platforms and retailers are often the targets of such deceptive and perilous operations.

Reid further underscored the challenging nature of this backdoor scheme, noting that it is exceptionally difficult for users to detect whether their devices have been compromised. Shockingly, out of the devices procured by Human from online retailers, a staggering 80 percent were found to be infected with Badbox, illustrating the wide-reaching extent of their presence in the market.

In response to these threats, Human Security collaborated closely with tech giants Google and Apple to disrupt the Peachpit operation. Additionally, the organization has cooperated with law enforcement agencies, providing them with crucial details regarding the facilities responsible for the creation of some Badbox-infected devices, along with pertinent information about the organizations and individual threat actors associated with the Peachpit operation.

What can you do?

During its peak, Peachpit-affiliated apps managed to infiltrate approximately 121,000 Android devices and 159,000 iOS devices in a staggering 227 countries and territories. The comprehensive collection of 39 Android, iOS, and CTV-focused apps that fell under the influence of this scheme had garnered over 15 million installations before being removed from circulation.

It’s important to note that the Badbox backdoor did not directly impact iOS devices themselves. Instead, these devices were targeted exclusively by the Peachpit ad fraud attack via malicious applications. The infected off-brand devices were notably not certified as Play Protect Android devices.

Regrettably, Badbox-infected devices pose an intricate challenge for average users, as the malware responsible for deploying the backdoor establishes contact with a command-and-control server upon initial boot-up. Even resetting the device to its factory defaults will not resolve this issue.

Human Security’s published report includes a list of the malicious Android and iOS Peachpit application bundles. Users who have installed any of these apps are strongly advised to promptly uninstall them.

While Peachpit has been disrupted and several components of Badbox are currently dormant, it’s crucial to understand that the threat actors behind Badbox are likely in the process of reconfiguring their schemes, seeking alternative avenues to continue their illicit activities.

Megafea Editors