who have unknowingly purchased these infected Android TV devices, the consequences can be dire. Not only are their devices laced with malware, but they are unknowingly participating in a web of fraud schemes that are making millions of dollars.
The discovery of this scheme was made by security researcher Daniel Milisic in January when he found that a cheap Android TV streaming box called the T95 was infected with malware right out of the box. Further research confirmed that this was not an isolated incident, but a widespread problem affecting thousands of devices.
Now, cybersecurity firm Human Security is shedding light on the extent of the infected devices and the interconnected fraud schemes linked to them. They have identified seven Android TV boxes and one tablet with backdoors installed, and they suspect that 200 different models of Android devices may be impacted.
These infected devices are found in homes, businesses, and schools across the US. Human Security has also taken down advertising fraud related to the scheme, which likely helped finance the operation. The company has shared information about the facilities where the devices may have been manufactured with law enforcement agencies.
Human Security’s research focuses on two areas: Badbox, which involves the compromised Android devices and their involvement in fraud and cybercrime, and Peachpit, a related ad fraud operation involving multiple Android and iOS apps. Google has removed the apps following Human Security’s research, while Apple has found issues with some of the apps reported to them.
The cheap Android streaming boxes, which cost less than $50, are sold online and in physical stores under various names. Human Security researchers discovered an Android app linked to inauthentic traffic and connected to a domain called flyermobi.com. Upon plugging in the infected devices, the devices connect to a command and control (C2) server in China and download instructions to carry out fraudulent activities.
Badbox is involved in various types of fraud, including advertising fraud, residential proxy services, the creation of fake Gmail and WhatsApp accounts, and remote code installation. Those behind the scheme sell access to residential networks, claiming to have access to over 10 million home IP addresses and 7 million mobile IP addresses.
Peachpit, the app-based fraud element, has been found on both the TV boxes and Android/iOS phones. Human Security identified 39 apps involved in Peachpit, which perform fraudulent behavior such as hidden advertisements, spoofed web traffic, and malvertising. It is likely that those behind Peachpit and Badbox are working together in some capacity.
Google and Apple have taken action against the fraudulent apps. Google removed the 20 Android apps reported by Human Security from the Play Store, while Apple gave developers 14 days to rectify guideline breaches. However, removing the malware from the infected devices is challenging, and they remain active in people’s homes and networks.
The discovery of this widespread fraud scheme highlights the vulnerability of cheap Android TV devices and the importance of being cautious when purchasing such products. It also underscores the need for stringent security measures and ongoing efforts to combat cybercrime.