In a startling revelation, cybersecurity firm Human Security has exposed a troubling trend. The firm has identified numerous Android TV boxes, and at least one tablet come pre-infected with malicious Triada-based malware.
This malware poses significant threats, including ad fraud, the creation of counterfeit accounts, and unauthorized access to home networks by surreptitiously funnelling data to servers located in China, as reported by Tom’s Guide.
Android TV boxes infected by malware linked to fraud
Human Security’s latest report has alarmed the tech community as it sheds light on the prevalence of these infected devices. Researchers at the firm have uncovered disturbing evidence that several models of Android TV boxes and one tablet are shipped with perilous firmware backdoors, making them challenging to detect and remove.
The magnitude of the threat is staggering, with at least 74,000 Android mobile phones, tablets, and connected TV boxes worldwide exhibiting signs of infection. What’s even more troubling is the revelation that approximately 200 different Android device models may be affected by this malware, as reported by Wired.
Identified compromised devices
In their investigation, the cybersecurity experts pinpointed eight devices with these malicious backdoors installed from the outset. These devices encompass seven TV boxes, specifically the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, along with a tablet identified as J5-W. These devices have a diverse user base, ranging from households to businesses and schools across the United States.
Gavin Reid, Human Security’s Chief Information Security Officer (CISO), emphasized the global reach of this fraudulent operation, stating, “This is a truly distributed way of doing fraud.” Law enforcement agencies have been provided with detailed information regarding the potential origins of these compromised devices.
So, how does this scheme operate? The infected devices are manufactured in China, where, at some point during the commercial supply chain process, a malware-based firmware backdoor is clandestinely integrated. This backdoor is constructed using the notorious Triada malware, which acts as a “downloader” primarily designed to establish a gateway for installing other malicious software. These infections, known as Badbox infections, are intricately linked to a vast network of fraud and cybercrime.
Gavin Reid explained the modus operandi of the malware, saying, “Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff.”
Once hackers gain access to these compromised devices, they employ them for various types of fraudulent activities, including:
- advertising fraud
- creation of fake Gmail and WhatsApp accounts
- remote code installations
The group orchestrating this scheme reportedly sells access to residential networks on the black market and claims to have control over millions of mobile IP addresses.
Human Security reported that the operators behind BadBox have recently taken down their command-and-control servers, presumably to adapt and evade detection in response to heightened scrutiny. Consumers are strongly advised against using the infected devices, as the malware is deeply embedded in the firmware partition, making it exceptionally challenging to remove without technical expertise.
Gavin Reid offered valuable advice to potential buyers in the market for a new TV streaming box, recommending that they go for familiar brands and stick to devices from reputable manufacturers.
As we become more reliant on technology, it’s important to be vigilant and cautious to protect oneself from such harmful threats.