From Badbox to Peachpit Malware: Unraveling Android’s Multi-Million Dollar Scam

In January, cyber-security researcher Daniel Milisic uncovered a low-cost Chinese-made Android streaming box named T95, which, upon unboxing, was found to have pre-installed malware. Subsequently, other security experts confirmed this discovery, suggesting this was merely the tip of the iceberg.

Last week, Human Security research presented new insights regarding the extent of Android devices with built-in malware and the intricate web of scams linked to this malicious software. The team at Human Security identified malware in seven streaming box models and one Android tablet. Furthermore, they discovered evidence indicating approximately 200 diverse devices were compromised. These compromised devices found their way into American households, businesses, and schools. Meanwhile, those who introduced the malware into these inexpensive Android devices executed fraudulent advertising campaigns, campaigns Human Security reported as dismantled.

Gavin Reid, Chief Security Officer of Human Security, remarked, “They’re like a Swiss Army knife of doing bad things on the Internet. This is a truly distributed way of doing fraud.” Human Security bifurcated this scam operation into two segments. The first, named ‘Badbox’, pertains to the malware and affected devices, as well as their connection to sophisticated tech crimes. The remaining segment, dubbed ‘Peachpit’, revolves around a fraudulent advertising campaign associated with at least 39 apps on both iOS and Android. Regarding the two predominant mobile operating systems, Google revealed that after the research findings from Human Security, they purged malware-ridden apps from the Play Store. Concurrently, Apple discerned issues in several disclosed apps.

Delving into ‘Badbox’, these affordable streaming boxes originating from China typically retail for less than 50 USD. They’re available online and in tech stores, often sold under varying brand names. Some smaller vendors rebrand them, while others don’t brand them at all, which obfuscates their origin.

By the latter half of 2022, Human Security disclosed that their researchers detected an app directing unauthorized traffic to flyermobi.com. Come January, as researcher Milisic unveiled his findings, this domain resurfaced, prompting Human Security to procure numerous cheap Android streaming boxes for extensive research.

In total, they discerned eight products with embedded malware: T95, T95Z, T95MAX, X88, Q9, X12PLUS, MXQ Pro 5G, and the J5-W tablet. Furthermore, Human Security revealed a staggering 74,000 globally distributed Android devices exhibiting traces of the Badbox malware, including those utilized in several American schools.

A commonality among these devices was their manufacturing base in China. Prior to reaching retailers, a firmware backdoor had already been introduced. This backdoor believed to be rooted in the Triada malware detected by Kaspersky Labs in 2016, enabled the device to autonomously access data from installed apps and relay it to predetermined domains.

Human Security determined that Badbox malware was employed for various online criminal endeavors, including ad fraud, residential proxy rights sales granting anonymous online access, using connections to set up Google and WhatsApp accounts, and remote malware installation. According to cyber-security researchers, those offering residential proxy services claimed access to 10 million household IPs and 7 million mobile device IPs.

Another cyber-security research entity, Trend Micro, identified a ghost company acting as a front for high-tech crimes, headquartered in China.

Turning ‘Peachpit’, it encapsulates various online criminal activities executed via malware-infested apps, encompassing TV boxes and smartphones on both iOS and Android platforms. As mentioned, Human Security identified 39 malware-infested apps, including fitness and daily water intake tracking applications.

From concealed ads and website traffic boosting to malicious ad operations, these corrupted apps were capable of executing it all. Based on security expert findings, Peachpit managed daily ad runs numbering in the billions, affecting approximately 121,000 Android and 159,000 iOS devices. Consequently, online fraudsters exploited this malware to amass an estimated 2 million USD monthly.

Via: wired.com