When you buy a TV streaming box, there are some things you don't expect it to do. It should not secretly connect to malware or start communicating with servers in China. It certainly shouldn't be acting as a hub in an organized crime system that makes millions of dollars through fraud. However, this has been the reality for thousands of people who own cheap ones Appliances Android TV.
In January, security researcher Daniel Milisic He discovered that a cheap Android TV streaming box called the T95 was infected with malware out of the box, with many other researchers corroborating his findings. This was the tip of the iceberg. This week, cybersecurity firm Human Security reveals new details about the range of infected devices.
Human Security researchers found seven different Android TVs and one tablets with backdoors installed and have seen signs of 200 different Android device models that may be the same, according to a report shared exclusively at WIRED. The devices are found in homes, businesses and schools across the US. Meanwhile, Human Security also says it has removed an ad scam linked to the program.
"They're like a Swiss army knife of doing bad things on the Internet," says Gavin Reid, CISO at Human Security who leads the company's Satori Threat intelligence and research team.
Human Security's investigation is divided into two parts: Badbox, which covers the compromised Android devices and the ways they are involved in fraud and cybercrime; The second, called Peachpit, looks at an ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security's investigation, while Apple says it has found issues with several of the apps reported to it.
Badbox.
Cheap Android streaming boxes, which usually cost less than $50, are sold online. These decoders are often unbranded or sold under different names, partially hiding their source. In the second half of 2022, Human Security states in its report, that its researchers detected an Android application that appeared to be linked to the flyermobi.com domain. When Milisic published his initial findings about the T95 Android streaming box in January, the research also mentioned the flyermobi domain. The Human team bought the box and more and started testing them.
Overall the researchers they confirmed eight devices with backdoors installed — seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQ Pro 5G and one J5-W tablet. The company's report, which is lead by data scientist Marion Habiby, says Human Security has identified at least 74.000 Android devices showing signs of Badbox infection worldwide.
TV boxes are made in China. Somewhere before they reach resellers one is added firmware backdoor. This backdoor uses the Triada malware first discovered by security firm Kaspersky the 2016, and modifies a component of the Android operating system, allowing itself to access applications installed on the devices. Then he contacts the hackers. “Unbeknownst to the user, when you connect this thing, it uses a command command and control (C2) and it starts doing a lot of bad things,” says Reid.
The findings are consistent with those of other researchers and ongoing research. Fyodor Yarochkin, senior threat researcher at security firm Trend Micro, says the company has seen two Chinese groups that have used backdoors on Android devices – one it has investigated in depth, and the other is the one Human Security has looked into.
Trend Micro reports that it found a "front end company" for the group it investigated in China. "They claim to have over 20 million infected devices worldwide, with up to 2 million devices online at any given time."
Peachpit.
It's an app-based scam that runs on TV boxes, Android phones and iPhones, according to Reid. His company identified 39 Android, iOS and TV box apps. “These are standards-based applications — not very high quality,” says Joao Santos, a security researcher at the company. There were apps for developing abs and recording how much water a person drinks.
Apps had malicious behaviors such as displaying hidden ads, Mission fake web traffic and malicious advertising. The investigation says that those behind Peachpit are different from those behind Badbox, but it is possible that they are working together in some way.
Human Security research reports that these ads made 4 billion ad requests per day. 121.000 Android devices appear to be affected, as well as around 159.000 iOS devices. The apps had been downloaded a total of 15 million times.
Reid says that based on the data available to the company, which doesn't show the full picture due to the complexity of the ad industry, those behind the scam could easily be making $2 million a month.
I knew something when I set up new accounts on all my low-cost android devices.
Or you just find a Rom with official Android TV, supported by the box you have, erase the NAND memory and format it, then flash the new software!