Malware-Infected Devices Sold Through Major Retailers


Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

The scheme, known as BADBOX, deploys the Triada malware as a “backdoor” on various devices such as CTV boxes, smartphones and tablets during the supply chain process in China. 

Human’s Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.

These infected devices can steal personally identifiable information (PII), create fake messaging and email accounts and execute various fraudulent activities. Even after a factory reset, BADBOX-infected devices remain compromised, as the malware connects to a command-and-control (C2) server on first boot.

BADBOX’s ability to infiltrate devices sold by trusted e-commerce platforms and retailers makes it particularly dangerous. 

“This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised,” commented Human Security’s chief information security officer, Gavin Reid.

“Of the devices Human acquired from online retailers, 80% were infected with BADBOX, which demonstrates how broadly they were circulating on the market.”

Read more on the Triada malware: Malicious WhatsApp Mod Spotted Infecting Android Devices

Additionally, in November 2022, Human’s Satori Threat Intelligence and Research Team uncovered an “ad fraud module” within BADBOX, hidden ads and fake clicks defrauding advertisers. They also identified a group of Android, iOS and CTV apps, known as PEACHPIT, that conducted similar ad fraud independently of BADBOX.

“The cyber-criminals behind PEACHPIT utilized methods such as hidden advertisements, spoofed web traffic, and malvertising to monetize their scheme and defraud the advertising industry,” said Marion Habiby, data scientist at Human.

Human Security worked with tech giants Google and Apple to disrupt the PEACHPIT operation, sharing information with law enforcement. This collaboration aimed to raise the cost for cybercriminals and protect the advertising industry from fraudulent schemes.



Source link