Tens of thousands of Android devices have been shipped to end-users with backdoored firmware, according to a warning from cybersecurity vendor Human Security.
As part of the global cybercriminal operation called BadBox (PDF), Human Security found a threat actor relied on supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with the Triada malware.
The infected devices come from at least one Chinese manufacturer but, before they are delivered to resellers, physical retail stores, and e-commerce warehouses, a backdoor was injected into their firmware.
“Products known to contain the backdoor have been found on public school networks throughout the United States,” Human says.
Discovered in 2016, Triada is a modular trojan residing in a device’s RAM, relying on the Zygote process to hook all applications on Android, actively using root privileges to substitute system files. Over time, the malware went through various iterations and was found pre-installed on low-cost Android devices on at least two occasions.
As part of the BadBox operation that Human Security discovered, the infected low-cost Android devices allow threat actors to carry out various ad-fraud schemes, including one named PeachPit, which at its peak relied on 121,000 Android and 159,000 iOS devices infected with malware, and on 39 Android, iOS, and CTV-centric apps designed to connect to a fake supply-side platform (SSP).
One of the modules delivered to the infected devices from the command-and-control (C&C) server allows the creation of WebViews that are fully hidden from the user, but which “are used to request, render, and click on ads, spoofing the ad requests to look like they’re coming from certain apps, referred by certain websites, and rendered” on specific devices.
BadBox, Human Security notes, also includes a residential proxy module that allows the threat actors to sell access to the victim’s network. Furthermore, they can create WhatsApp messaging accounts and Gmail accounts they can then use for other malicious activities.
“Finally, because of the backdoor’s connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner’s permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices’ owners,” Human notes.
The cybersecurity firm says that it has managed to disrupt the PeachPit ad fraud scheme and that the BadBox operators have taken down their C&C servers, likely to adapt and circumvent the deployed defensive measures.
Human also warns that BadBox-infected devices cannot be cleaned by the end-users, since the backdoor resides in the firmware partition and that almost all infected devices are lower-price-point, recommending that users choose familiar brands when purchasing new products.