Researchers at cybersecurity company Human Security have uncovered a large-scale malware campaign called Badbox, in which countless Android devices are equipped with malware before they are delivered to end customers. Like the security researchers in their report (PDF) explain, the affected devices are Android-based smartphones, tablets and TV boxes from one or possibly several Chinese manufacturers.
As part of Badbox, malicious actors deliberately place a backdoor based on malware called Triada in the firmware of affected devices. As soon as one of the infected devices is turned on by the consumer, it automatically connects to an attacker’s command and control server (C2) to receive commands, the report says.
Badbox covers ad fraud and more
According to the researchers, the pre-installed backdoor is used to provide proxy services, create fake Gmail and WhatsApp accounts, and install and execute other malware. A special role is also said to be played by an advertising fraud-oriented module called Peachpit, the purpose of which is to load advertisements and execute clicks on them via hidden web views. The user of the device in question usually doesn’t notice anything, the researchers write in their report.
Peachpit is probably not only used on Android devices that are factory-infiltrated via Badbox, but is also distributed via apps. At peak, the researchers found around 121,000 Android and 159,000 iOS devices that viewed around four billion advertisements in a single day via this module.
More than 200 models affected
The researchers blame problems in the supply chain for Badbox’s success. “At some point between the manufacture of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor is installed and the product packaging is sealed in plastic.”, explain the security experts. This prepares each of these devices for fraudulent activity.
The researchers found over 200 different Android device models that were infected from the factory. There is little chance for end users to rid these devices of the malware because the malware is located on a read-only partition of the device firmware. Since models from Chinese manufacturers in the lower price segment are almost exclusively affected, the researchers recommend using smartphones, tablets and TV boxes from well-known brands when purchasing new ones.