Chinese Criminals Backdoor Android Devices for Ad FraudBrand-New Android Smartphones, Tablets and Connected TVs Harboring Trojan Backdoor
Tens of thousands of knock-off Android products manufactured in China including TV streaming boxes reached consumers infected with malware, said cybersecurity researchers. Human Security in a Wednesday report said it uncovered a related operation that earned millions per month in an online advertising fraud scheme.
The ad fraud network is mostly dismantled, and the supply chain scheme is dormant - for now. The hackers will try again to reach their infected devices, Gavin Reid, Human Security's chief information security officer, told Information Security Media Group.
The New York City-based company calls the device infection syndicate "Badbox" and the Chinese group behind the ad fraud scheme "Peachpit."
"I'm guessing that it's a loose federation of people who are doing a bunch of stuff," said Reid. Peachpit malware is an optional module in Badbox devices, but the ad fraud schemers also commanded an independent set of apps in the Google and Apple app stores to offer fake inventory to ad display networks.
App store providers culled Peachpit apps, and Badbox actors deleted malicious modules from infected devices, Reid said. "We took the rug out from underneath these guys," he said. "If we can't get them thrown in jail, let's make it not profitable for them to do this anymore."
Reid is not declaring total victory. Badbox devices still ping their command-and-control servers, meaning that threat actors probably have plans for the network of cheap Android bots they've seeded across the globe. "In six months, hopefully we'll be able to tell you more about that."
Human Security doesn't know how Badbox malware reaches devices. It's possible that criminal actors steal Android gadgets including phones, tablets and streaming devices and reinsert them into the supply chain with malicious code as an unwanted bonus. They might inject their firmware backdoor directly on the factory floor in collusion with at least one Chinese manufacturer. Human Security found evidence of "at least 200 distinct Android device types" infected with the backdoor, a variant of the Triada malware. It's impossible to calculate how many devices across the globe carry the malware, but Human Security said it observed at least 74,000 infected gadgets.
First analyzed by Kaspersky in 2016, Triada is a modular Android Trojan with root access to the operating system. Ordinary end users can't know their device is infected and the only recourse, failing a firmware swap out, is the trash bin.
Google in 2019 said it had found Android devices infected with the backdoor after a manufacturer sent them to a third-party vendor for system imaging meant to incorporate additional features.
Badbox devices perform a number of malicious acts. They act as proxies, giving bad actors an exit point from residential networks and internet protocol addresses more likely to be treated with kid gloves by security teams. Threat actors use them to create fake email and messaging accounts, possibly for astroturfing. And of course, they can download the Peachpit ad fraud malware.
At its November 2022 peak, Peachpit earned its creators about $2 million per month, Human Security estimated. On Badbox devices, Peachpit exploits the Android browser-lite WebView function to render ads without displaying them to the user. The hackers spoof ad metrics so it appears as if the ads were displayed within certain apps or were referred by certain websites. They also disguise the source device, sending back false data stating that the ads rendered on certain models of smartphones, tables or streaming devices where the user would have actually seen the ad.
Peachpit actors also offered 39 apps on Android, iOS and streaming device app stores containing a hard-coded connection to a fake supply-side platform, a component of the programmatic ad stack that aggregates available ad inventory for sale. Buyers in the highly automated world of online advertising had no idea they were paying for ads on Peachpit bots, Reid said.
"There is so much data going across these ad networks, it becomes unfortunately easy to hide in the noise. And that's why they're putting fake apps out there. That's why they're originating out of residential proxy networks in the U.S."
As with the ads served on Badbox infected devices, owners of devices carrying a Peachpit app may never have actually seen the ads.
Supply chain compromises are difficult to combat, since consumers assume the goods for sale on any semi-reputable e-commerce site are safe, Reid said. "That is not the case," he said, adding that if the price of a tablet seems too good to believe, it probably is.