Android Devices Are Coming with an unkillable backdoor pre-installed out of the box


Worrying new is emerging that thousands of Android devices are coming with an advanced Triada malware already installed prior to the devices getting on the shelves of resellers.

When buying a TV streaming device you do not expect you should worry that it will do something that it should not be doing. 

One such thing this box should not be doing is coming secretly laced with malware or phoning home to servers in China when powered on.

It should also not be a node that is part of an organized crime group that is making millions through fraud.

The issue and sad reality is that thousands of unknowing people who have cheap Android TV boxes that come with the Tirada malware installed on them.


Mobile phone in female hands with screen showing compromised virus infected device, malware

Daniel Milisic, a security researcher, in January discovered that a cheap Android TV box, the T95, was infected with malware right out of the box.

Multiple other security researchers confirmed this finding, but this turned out to be just the tip of the iceburg.

Human Security, a cybersecurity firm revealed new details about the scope of infected devices as well as the hidden and interconnected web of fraud schemes linked to these streaming media boxes.

Threat researchers at Human Security found 7 Android TV Boxes and a tablet that had the backdoors installed as well as have observed signs of 200 different models of android devices that may be impacted.

The scary part is that these compromised devices are in use in homes, businesses, and schools across the US.

Human Security has also said that it has taken down an advertising fraud ring that is linked to the scheme, which most likely helped to pay for the operation.

Gavin Reid the CISO at Human Security, and leads the Satori Threat Intelligence & Research team said:

“They’re like a Swiss Army knife of doing bad things on the internet. This is a truly distributed way of doing fraud.”

Reid said that Human Security has shared details of facilities where the devices may have been manufactured with law enforcement agencies.

The research carried out by Human Security can be broken down into two areas.

The first area is known as Badbox, this involves the compromised Android devices and how they are being used in fraud and cyber crime.

The other area of research is called Peachpit. This relates to the ad fraud operation that involves at least 39 Android and iOS applications.

Google advised that it has removed the malicious apps after the research by Human Security was release, while Apple advised that it has found issues in several of the apps that were reported.

We will look first look at the Badbox research that was carried out. These are cheap Android streaming boxes that usually cost less than $50 Dollars and are sold online as well as brick and mortar shops, and are often unbranded or sold under a different names which usually obscures their source.

In its report Human Security said that in the 2nd half of 2022, their researchers noticed an android application which looked like it was linked to inauthentic traffic and associated with the domain flyermobi[.]com.

The initial findings that Milisic posted were in regards to the T95 Android Box back in January, as well it also showed the flyermobi domain that these devices were calling home to. The Human Security threat research team purchased this box and numerous others and took the plunge into them.

The researchers confirmed that 8 devices in total had backdoors installed. 7 TV boxes which make up the following models:

  •  T95
  • T95Z
  • T95MAX
  • X88
  • Q9
  • X12PLUS
  • NXQ Pro 5G
  • Tablet J5-W

It is important to note that other security researchers looking into the same devices and issues with them flagged the same backdoors in recent months.

With Marion Habiby listed as the lead author of the Company’s report it noted that Human Security observed at least 74,000 devices that had the signs of being infected with Badbox globally. The worrying thing is that this number also includes some schools across the USA.

These TV boxes are built in China, which indicates that before they reach the hands of the resellers, and threat researchers cannot determine from where this is happening exactly, a backdoor to the firmware is added to this.

This backdoor is based on the Tirada malware. This was first spotted in 2016 by Kaspersky. This malware strain modifies an element of the Android operating system. This in turn allows itself to access apps installed on the device and then it phones home.

Reid said:

“Unbeknownst to the user, when you plug this thing in, it goes to a command and control (c2) in China and downloads an instruction set and starts doing a bunch of bad stuff.”

Multiple types of fraud linked to these compromised devices were tracked by Human Security.

These included advertisement fraud, residential proxy services (this is where the group behind the scenes sells access to your home network), the creation of fake gmail addresses and WhatsApp accounts using the compromised connections and remotely installing code.

The companies report said that those threat actors behind the scenes were selling residential network access in a commercial manner. They are also claiming to have access to more than 10 million hope IP addresses and 7 million mobile IP addresses.

Human Securities findings match those that other threat researchers have observed as well as ongoing investigations.

Senior threat researcher at Trend Micro, Fyodor Yarochkin said that they have seen 2 Chinese threat groups that have used these backdoored Android Devices.

One they have researched in great detail and the other has been researched by Human Security. Yarochkin said:

“The infection of devices is quite similar.”

A “front end company” for the group Trend Micro investigated was found in China Yarochkin said, and I quote

“They were claiming that they have over 20 million devices infected world wide with up to 2 million devices being online at any point of time.”

Yarochkin believes this information to be credible based on Trend Micro’s network data. He also states the following:

“There was a tablet in one of the museums somewhere in Europe. It’s easy for them to infiltrate the supply chain and for manufacturers, it’s really difficult to detect.”

Yarochkin also believes that it is possible for loads of Android systems to potentially be impacted, including cars.

Now we look at what Human Security dubbed Peachpit, which is an app based fraud element which is present on both TV boxes as well as android phones and iPhones Reid said.

39 Android, iOS, & TV Box apps were identified by Human Security as being involved in this fraud element.

Joao Santos, security researcher at human Security said:

“These are template based applications, not very high quality.”

Apps in relation to developing a 6 pack as well as logging the amount of water one drinks were also included in the findings.

A range of fraudulent behavior was being carried out by these applications, which includes hidden advertising, spoofed web traffic, and malvertising.

Researchers believe that while those behind Peachpit appear different from those behind Badbox, they are ultimately working together in some way.

Santos can be quoted as saying:

“They have this SDK that did the ad fraud part, and we found a version of this SDK that matches the name of the module that was being dropped on Badbox. That was another level of connection that we found.”

Research carried out by Human Security states that the ads involved were making 4 billion ad requests per day. with 121,000 Android devices being impacted and an additional 159,000 iOS devices being impacted.

There were a total of 15 million downloads in total for the Android apps researchers calculated (Note – that the Badbox backdoor was found only on Android and not on any iOS devices).

Reid said that based on the data that Human security has, it is not a full and complete picture due to the complexity of the ad industry.

Those behind the scheme could have easily earned $2 million USD in one month alone.

Ed Fernandez, spokesperson for Google confirmed that 20 Android apps that were reported by Human Security had been taken off the Play Store.

Fernandez said:

“The off brand devices discovered to be Badbox infected were not Play Protect certified android devices.”

He is referring to Google’s security testing system for Android devices.

“If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.”

Google has a list of certified Android TV partners.

Archelle Thelemaque, a spokesperson for apple said that it found 5 applications that Human Security report were actually breaching its guidelines. The developers were given 14 days to rectify the flaws in their apps which were in breach of the guidelines. Up until now only 4 have fixed the issues out of the 14.

Near the end of 2022 and the beginning of 2023 Reid said that Human Security took action against the advertising fraud element of Badbox & Peachpit.

Data shared by Human Security shows that the amount of fraudulent ad activity from the schemes has come to a stand still.

Even though things have come to a stand still attackers have adapted in real time.

Santos said that when countermeasures were first deployed those behind the schemes started by sending out an update to obfuscate what they were doing. He then said those behind Badbox took down the C2 servers that were powering the firmwares backdoor.

Even though the attackers have been slowed down, the boxes are still connected to peoples networks at home.

Unless you or someone has the technical skills, the malware is actually very hard to remove

Reid said:

“You think of these Badboxes as kind of like sleeper cells. They’re just sitting there waiting for instruction sets.”

It is important for people buying TV streaming boxes the advise is to buy branded devices where the manufacturer is clear and trusted

As Reid says:

“Friends don’t let friends plug in weird IoT devices into their home networks.”

Leave a Reply

Your email address will not be published. Required fields are marked *