Malware-Infected Devices Sold Through Major Retailers

Cyber Security Threat Summary:
Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China” (Info Security Magazine, 2023).

The campaign, which the researchers tagged as BADBOX, is used to deploy the Triada malware which creates a backdoor on various devices including: CTV boxes, smartphones, and tablets. The researchers observed more than 74,000 Android-based devices with signs of infection.

The impacted devices can be used to steal personal identifiable information (PII) and to create fake messaging and email accounts for other malicious activities. Most concerning is the malware is persistent, remaining on the devices after a factory reset because of how the malware connects to a command-and-control (C2) server on first boot.

“Additionally, in November 2022, Human's Satori Threat Intelligence and Research Team uncovered an "ad fraud module" within BADBOX, hidden ads and fake clicks defrauding advertisers. They also identified a group of Android, iOS and CTV apps, known as PEACHPIT, that conducted similar ad fraud independently of BADBOX” (Info Security Magazine, 2023). "The cyber-criminals behind PEACHPIT utilized methods such as hidden advertisements, spoofed web traffic, and malvertising to monetize their scheme and defraud the advertising industry," said Marion Habiby, data scientist at Human.

Security Officer Comments:
Because the malware is delivered through the supply chain through legitimate vendors, it is nearly impossible for users of these devices to know that they have been compromised. "Of the devices Human acquired from online retailers, 80% were infected with BADBOX, which demonstrates how broadly they were circulating on the market."

The researchers said the “cybercriminal enterprise didn’t discriminate, they went after consumers around the world both in the private and public sectors”. According to some reports, “Products known to contain the backdoor have been found on public school networks throughout the U.S.”

“Triada, the malware used to implant the backdoor in BADBOX—was heavily reported on upon its discovery in 2016 because of its sophistication and ability to adapt. It was able to hide using advanced techniques and it used a command-and-control server process which could deliver unique modules (aka kinds of fraud) to "VIP targets.” Once installed, it could read, write, and edit everything on the phone, but with an initial focus on SMS messages since this is where one-time-passwords are shared, login credentials, and other sensitive details” (Human Security, 2023).

Suggested Correction(s):
Human Security worked with tech giants Google and Apple to disrupt the PEACHPIT operation, sharing information with law enforcement. This collaboration aimed to raise the cost for cybercriminals and protect the advertising industry from fraudulent schemes.

Human Security says users are now protected from PEACHPIT due to their disruption of the botnet, but offer a few additional actionable first steps organizations can take to safeguard their businesses from these types of attacks now and in the future:

  • Sharing Supply Chain Object (SCO): Encourage clients to share detailed information about their supply chain, including third-party vendors and partners. This will help identify any potential weak links in the supply chain and enable proactive measures to secure the entire ecosystem.
  • Updating ads[.]txt Files: Ads.txt is a standard that helps prevent unauthorized inventory sales in the programmatic advertising ecosystem. Recommend clients regularly review and update their ads[.]txt files to ensure they only authorize approved sellers, reducing the risk of ad fraud.
  • Regular Software and Firmware Updates: Emphasize the importance of regularly updating software, firmware, and applications to patch known vulnerabilities and stay protected against the latest threats.
  • Continuous Threat Intelligence: Recommend the use of threat intelligence services to stay informed about the evolving threat landscape and adapt defense strategies accordingly.