Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.
The scheme, known as BADBOX, deploys the Triada malware as a "backdoor" on various devices such as CTV boxes, smartphones and tablets during the supply chain process in China.
Human's Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.
From a technical standpoint, the infected devices can steal personally identifiable information (PII), create fake messaging and email accounts and execute various fraudulent activities. Even after a factory reset, BADBOX-infected devices remain compromised, as the malware connects to a command-and-control (C2) server on first boot.
"The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn't Play Protect certified, Google doesn’t have a record of security and compatibility test results," a Google spokesperson told Infosecurity in an email.
"Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified.”
Still, according to Human Security, BADBOX's ability to infiltrate devices sold by trusted e-commerce platforms and retailers makes it particularly dangerous.
"This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised," commented Human Security's chief information security officer, Gavin Reid.
"Of the devices Human acquired from online retailers, 80% were infected with BADBOX, which demonstrates how broadly they were circulating on the market."
Read more on the Triada malware: Malicious WhatsApp Mod Spotted Infecting Android Devices
Additionally, in November 2022, Human's Satori Threat Intelligence and Research Team uncovered an "ad fraud module" within BADBOX, hidden ads and fake clicks defrauding advertisers. They also identified a group of Android, iOS and CTV apps, known as PEACHPIT, that conducted similar ad fraud independently of BADBOX.
"The cyber-criminals behind PEACHPIT utilized methods such as hidden advertisements, spoofed web traffic, and malvertising to monetize their scheme and defraud the advertising industry," said Marion Habiby, data scientist at Human.
Human Security worked with tech giants Google and Apple to disrupt the PEACHPIT operation, sharing information with law enforcement. This collaboration aimed to raise the cost for cyber-criminals and protect the advertising industry from fraudulent schemes.
UPDATE 05/10/2023: The article has been updated to include Google's comment.