Security researcher, Daniel Milisek discovered a cheap Android TV streaming box called the T95 was infected with malware right out of the box. His findings were supported by other researchers. This week, Human Security unveiled new details of the affected devices and the hidden, interconnected web of fraud schemes linked to streaming boxes.
The researchers found seven Android TV boxes and a tablet with a backdoor installed, along with 200 other Android devices. While Human Security has cracked down on ad fraud linked to the scheme, the devices still exist in homes, businesses and schools.
“They’re like a Swiss Army knife for doing bad things on the Internet,” says Gavin Reed, CISO of Human Security who leads the company’s Satori Threat Intelligence and Research team. “It’s a really distributed way to commit fraud.”
Reid added that the company also shared details of the facilities where the devices would be manufactured with law enforcement agencies.
The research is divided into two parts. Badbox, which covers compromised Android devices and the ways in which they are involved in fraud and cybercrime, and Peachpit, which deals with an ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps after human security research, while Apple says it has found issues with several apps reported to it.
Inexpensive Android streaming boxes, typically priced under $50, were sold online and in brick-and-mortar stores, without any well-known brands. Human Security says that in its report, its researchers observed an Android app that appeared to be linked to unauthenticated traffic and linked to the domain flyermobi.com. The researchers confirmed eight devices with rear doors, including seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and one tablet, the J5-W.
Human Security has seen at least 74,000 Android devices showing symptoms of a Bedbox infection worldwide—including some in schools across the United States.
The devices are made in China, although it is not known where the firmware backdoor was added. “Unbeknownst to the user, when you plug this thing in, it goes to a. Command and control (C2) in China and downloads an instruction set and starts doing a lot of bad things,” says Reid.
Several types of fraud were linked to compromised devices, including ad fraud, residential proxy service, fake Gmail and WhatsApp accounts, and remote code installation.
Yaruchkin says Trend Micro found a “front and company” for the group it investigated in China.
“They were claiming that they had over 20 million devices infected worldwide, of which 2 million devices are online at any given time,” he says. “There was a tablet in one of the museums in Europe,” Yaruchkin says, adding that he believes it may have had an impact on Android systems, including cars. “It’s easy for them to infiltrate the supply chain,” he says. “And for manufacturers, that’s really hard to figure out.”
The company identified 39 Android, iOS and TV box apps that were involved in an app-based fraud element, called Peachpit. “These are template-based applications — not very high quality,” says Joao Santos, a security researcher at the company. Apps included how to develop six-pack abs and log the amount of water a person drinks.
The apps not only contained hidden ads, but also spread web traffic and malware. Human Security’s research says the ads involved were driving 4 billion ad requests per day, affecting 121,000 Android devices and 159,000 iOS devices. The researchers calculated that there have been 15 million total downloads for Android apps.
Google spokesperson Ed Fernandes confirmed that 20 Android apps reported by Human Security have been removed from the Play Store. Apple spokesman Archie Thelmack says it has received five apps that Human reported violated its guidelines, and that developers were given 14 days to comply with the rules.
These attacks, although now much slower, still have dangerous malware in people’s homes that are very difficult to remove. “You can think of these bed boxes like sleeper cells. They’re just sitting there waiting for a set of instructions,” says Reid.