Last January, cybersecurity expert Daniel Milisic discovered that the T95 set-top box running Android TV (sold on Aliexpress, for example) was infected with malware out of the box. But that was just the tip of the iceberg: Human Security discovered an entire shadow network associated with infected devices and malware (PDF).

Human Security researchers found seven Android TV set-top boxes and one tablet computer sold with backdoors installed, and found signs of malicious activity on 200 other different Android device models. These devices are used in homes, educational institutions and workplaces. Experts likened the project to “a Swiss army knife that does bad things on the Internet.” The scheme includes two aspects: Badbox — a network of devices with installed backdoors; and Peachpit, an app network that implements fraudulent advertising schemes.

The Badbox aspect is mostly occupied by cheap Android consoles priced below $50, sold online and in brick-and-mortar stores. They come unbranded or are sold under different names, which helps hide their origins. These devices generate malicious traffic by applying to the Flyermobi.com domain name. Eight such devices have been approved: T-settops T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQ Pro 5Gand also a tablet computer J5-W. Human Security has detected at least 74,000 infected devices, including in U.S. educational institutions.

They are all manufactured in China and at some stage install a backdoor based on the Triada Trojan that Kaspersky Lab discovered in 2016. This replaces one of the Android components, providing access to applications installed on the device. Without the user’s knowledge, Backdoor connects to a control server (C2) located in China, downloads a set of instructions, and distributes malicious activity. Human Security has identified several types of such activity: ad fraud schemes; sell access to network resources to victims who are resident proxies, that is, owners of infected devices; Registration of Gmail and WhatsApp accounts; remote code execution.

The people behind the scheme claimed to have access to more than 10 million home and 7 million mobile IP addresses, offering access to their networks. According to Trend Micro experts, the scheme’s organizers have more than 20 million infected devices worldwide, with 2 million of them active at any given time. In particular, a tablet computer was discovered in one of the European museums; There is reason to believe that many Android devices, including cars, will be affected.

The second direction has the traditional name Peachpit and is associated with malicious programs that are not only found on TV set-top boxes, but are also voluntarily installed by users on Android phones and iPhones. Basically these are template programs of not very high quality, for example, sets of exercises, how to pump up the muscles of the press or software that records the amount of water drunk by users. A total of 39 such programs were found for Android, iOS and TV set-top boxes. Apart from the declared functions, these programs also implement false advertising programs and distort traffic. It is noteworthy that these applications have common features with malware sent to devices by Badbox.

The network generated up to 4 billion ad calls per day; 121,000 Android devices and 159,000 iPhones were included in this call. Android apps alone have been downloaded a total of 15 million times, researchers estimate. Researchers don’t have a complete picture as the advertising industry is quite complex, but based on data alone, it appears operators of the scheme could easily make $2 million per month.

Google representative Ed Fernandez (Ed Fernandez) said that the company removed 20 Android programs from Google Play that Human Security researchers pointed out. He also said that devices with pre-installed backdoors are not certified by Play Protect, which means Google does not have data on the results of security and compatibility tests, but does have a list of partners on the Android site. Apple representative Archelle Thelemaque (Archelle Thelemaque) said that the company contacted the developers of the five applications in the Human Security report, they were given 14 days to fix the errors, and the four applications are no longer at risk.

The results of the finalization of the Badbox and Peachpit Human Security plans were reached at the end of 2022 and in the first half of this year. After initial actions, the attackers behind the schemes pushed updates to infected devices in an attempt to hide the activity. After that, the C2 servers in the firmware that enabled the backdoor to work were disabled. The effectiveness of both schemes has been greatly reduced, but these devices continue to be used. It is very difficult to remove this malware without technical skills, and now backdoored TV sets have turned into a kind of sleeping device. Consumers are advised to purchase products whose manufacturers are known and trusted.