The Badbox malware campaign, highlighted by Human Security experts, reveals dangers on more than 200 Android devices, including smartphones, TV boxes and televisions.
Many of you have seen yourself turning to cheap alternatives for technological devices. Generally smartphones or TV boxes running Android, from unknown brands. However, this approach hides notable risks.
The underside of Badbox
Business experts Human Security have brought to light a large-scale malicious campaign called Badbox. The latter is characterized by pre-installation of malware in Android devicessuch as smartphones, tablets and televisions, mainly of Chinese origin.
The researchers’ PDF report details the procedure followed by the criminals: malware called Triada is inserted into the devices’ OS. When turned on, they immediately connect to a server (Command and Control infrastructure, also called C2 or C&C), thus receiving instructions from the attackers.
The malware in question allows you to commit a series of varied fraudulent actions, ranging from ad fraud to the creation of fictitious Gmail and WhatsApp accounts, while minimizing the traces of these activities. According to Gavin Reid, security manager at Human Security, Badbox acts like a “Swiss army knife” in the dark world of the internet, providing cybercriminals with an arsenal of tools to carry out their misdeeds.
In addition, a module named Peach pit is used on both Android and iOS devices. Researchers counted up to 121,000 Android devices and 159,000 iOS devices interacting with around four billion ads in a single day via this module. Peach pit consists of 39 applications for Android and iOS, linked to a fake SSP, and implanting JavaScript code to retrieve information about the device running the application.
Protect yourself from Badbox
The threat is real, with over 200 infected Android device models identified. Especially since cleaning these devices is practically impossible for users, due to the fact that the malware resides on a read-only partition of the firmware.
Human Security’s recommendation is clear: you should avoid devices from unknown brands, and more specifically those which are not Play Protect certified (Google services). It is also crucial to exercise increased vigilance with regard to apps imitating legitimate apps, and to understand where they come from before downloading. In case of abnormal device behavior, a factory reset is recommended to eliminate compromised applications. We give you some advice in this file, to keep carefully aside.
It is important to note that devices affected by Badbox cannot be “fixed” by the general public. The decommissioning of these devices is recommended by the group of researchers… In short, we advise you not to use them.
We do not know the complete list of the 200 or more devices that are compromised. A concrete example of an infected device is the Android T95 TV Box, available on Amazon in different designs and products. These are very popular Android boxes, which can even be found at Thomson with a renowned model.