Connect with us

Hi, what are you looking for?



Android Devices With Backdoored Firmware Found in US Schools

A global cybercriminal operation called BadBox has infected the firmware of more than 70,000 Android smartphones, CTV boxes, and tablets with the Triada malware.

Tens of thousands of Android devices have been shipped to end-users with backdoored firmware, according to a warning from cybersecurity vendor Human Security.

As part of the global cybercriminal operation called BadBox (PDF), Human Security found a threat actor relied on supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with the Triada malware.

The infected devices come from at least one Chinese manufacturer but, before they are delivered to resellers, physical retail stores, and e-commerce warehouses, a backdoor was injected into their firmware.

“Products known to contain the backdoor have been found on public school networks throughout the United States,” Human says.

Discovered in 2016, Triada is a modular trojan residing in a device’s RAM, relying on the Zygote process to hook all applications on Android, actively using root privileges to substitute system files. Over time, the malware went through various iterations and was found pre-installed on low-cost Android devices on at least two occasions.

As part of the BadBox operation that Human Security discovered, the infected low-cost Android devices allow threat actors to carry out various ad-fraud schemes, including one named PeachPit, which at its peak relied on 121,000 Android and 159,000 iOS devices infected with malware, and on 39 Android, iOS, and CTV-centric apps designed to connect to a fake supply-side platform (SSP).

One of the modules delivered to the infected devices from the command-and-control (C&C) server allows the creation of WebViews that are fully hidden from the user, but which “are used to request, render, and click on ads, spoofing the ad requests to look like they’re coming from certain apps, referred by certain websites, and rendered” on specific devices.

BadBox, Human Security notes, also includes a residential proxy module that allows the threat actors to sell access to the victim’s network. Furthermore, they can create WhatsApp messaging accounts and Gmail accounts they can then use for other malicious activities.

Advertisement. Scroll to continue reading.

“Finally, because of the backdoor’s connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner’s permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices’ owners,” Human notes.

The cybersecurity firm says that it has managed to disrupt the PeachPit ad fraud scheme and that the BadBox operators have taken down their C&C servers, likely to adapt and circumvent the deployed defensive measures.

Human also warns that BadBox-infected devices cannot be cleaned by the end-users, since the backdoor resides in the firmware partition and that almost all infected devices are lower-price-point, recommending that users choose familiar brands when purchasing new products.

Related: Xenomorph Android Banking Trojan Targeting Users in US, Canada

Related: Predator Spyware Hitting iOS, Android Devices via Zero-Days

Related: Banking Trojan Delivered via Google Play Targets Users in US, Europe

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.