In the ever-connected world of today, our devices serve as gateways to the digital realm, granting us access to an array of services, entertainment, and information. However, recent revelations have unveiled a deeply concerning issue plaguing thousands of Android devices, one that hides in the shadows and poses a serious threat to users’ security and privacy. This article delves into the alarming discovery of unkillable backdoors preinstalled on Android devices, the scale of the problem, and its implications for users and the cybersecurity landscape.
The Unseen Threat: Unkillable Backdoors
Imagine purchasing a TV streaming box, a seemingly innocuous device designed to enhance your entertainment experience. You expect it to deliver content seamlessly, but what you don’t expect is for it to come preloaded with malicious software or engage in suspicious activities like unauthorized communications with servers in distant locations. Unfortunately, for thousands of individuals who unknowingly own inexpensive Android TV devices, this nightmare has become a reality.
The unsettling saga began in January when security researcher Daniel Milisic made a shocking discovery. He found that a low-cost Android TV streaming box called the T95 was infected with malware right out of the box. Subsequent investigations by multiple researchers confirmed Milisic’s findings, shedding light on a much larger and more insidious issue lurking beneath the surface.
This week, cybersecurity firm Human Security has unveiled new details about the extent of the infected devices and the intricate web of fraud schemes tied to these Android TV boxes. The findings paint a grim picture of an interconnected ecosystem of compromised devices, fraudulent activities, and unsuspecting victims.
Unveiling the Scope of the Problem
Human Security’s researchers have uncovered seven Android TV boxes and one tablet, all infected with these unkillable backdoors. However, the scale of this issue extends far beyond these isolated cases. They have identified signs of potential infections on approximately 200 different models of Android devices, as reported exclusively by WIRED. These infected devices have infiltrated homes, businesses, and even schools across the United States.
Moreover, Human Security’s investigation has unveiled a disturbing array of fraud schemes linked to these compromised devices. These activities include advertising fraud, the sale of residential proxy services (providing access to unsuspecting users’ home networks), the creation of fake Gmail and WhatsApp accounts, and remote code installation. In essence, these devices serve as versatile tools for perpetrating cybercrimes.
Perhaps one of the most alarming revelations is that those behind this scheme have been selling access to residential networks on a commercial scale. The report states that the operators claim to have access to over 10 million home IP addresses and 7 million mobile IP addresses. This indicates a wide-reaching and lucrative operation that poses severe risks to users.
The Inner Workings of the Threat
The infected Android TV devices are typically sold online and in physical stores, often under different names or unbranded, making it challenging for consumers to discern their true source. These devices, typically priced at less than $50, originate from China. However, the malware is introduced somewhere along the supply chain before reaching resellers.
The malware responsible for these unkillable backdoors is derived from the Triada malware, initially discovered by security firm Kaspersky in 2016. Once the malware is installed on these devices, it embeds itself into the Android operating system, granting itself access to installed apps. The compromised device then establishes communication with a command and control (C2) server located in China, where it downloads instructions to carry out malicious activities.
The Collaborative Efforts of Fraud
Human Security’s research uncovers two interconnected areas of fraud: Badbox and Peachpit. Badbox pertains to the compromised Android devices and their involvement in various fraudulent activities. Peachpit, on the other hand, focuses on an ad fraud operation that spans Android, iOS apps, and Android TV boxes.
The Badbox scheme involves the infected devices, and the findings reveal the breadth of their activities, including the creation of fraudulent advertisements, offering residential proxy services, the proliferation of fake accounts, and remote code installation. While Peachpit may seem distinct, it is related, with both schemes potentially working in tandem.
The fraudulent activities perpetrated by these schemes are extensive. Human Security’s research estimates that the involved ads generated a staggering 4 billion ad requests daily. Approximately 121,000 Android devices and 159,000 iOS devices were affected, with a combined total of 15 million downloads of the fraudulent Android apps.
The Response from Tech Giants
In response to Human Security’s research, Google has confirmed the removal of 20 Android apps associated with the fraudulent schemes from its Play Store. Google emphasized that the infected devices were not Play Protect–certified Android devices, indicating that the company lacks records of security and compatibility testing for such devices. Google maintains a list of certified Android TV partners to ensure user safety.
Apple, too, has taken action against the fraudulent apps identified by Human Security, finding issues with five of them. The developers were given 14 days to rectify the issues, with four of them complying by the time of publication.
The Ongoing Battle Against Unkillable Backdoors
While Human Security’s countermeasures have disrupted the fraudulent activities associated with Badbox and Peachpit, the threat is far from eradicated. The infected Android TV devices remain in users’ homes and networks, posing a latent danger. The malware embedded in these devices is notoriously challenging to remove, making them akin to “sleeper cells” waiting for malicious instructions.
In light of these revelations, it is crucial for consumers to exercise caution when purchasing TV streaming boxes. Opting for recognized, trusted brands can significantly reduce the risk of falling victim to such threats. As Gavin Reid, the CISO at Human Security, aptly puts it, “Friends don’t let friends plug in weird IoT devices into their home networks.”
In summary, the discovery of unkillable backdoors preinstalled on Android devices is a stark reminder of the evolving nature of cybersecurity threats. Vigilance and scrutiny are essential, as these threats can infiltrate even the most seemingly harmless devices, endangering the privacy and security of users worldwide.