X

Infected Android TV Boxes Used to Steal Millions of Dollars

Featured image for Infected Android TV Boxes Used to Steal Millions of Dollars

Cybercriminals are using cheap Android devices to run a multi-million dollar fraud operation. Human Security, a cybersecurity firm, has uncovered half a dozen compromised models of Android TV boxes being used for organized crime. The network of infected devices is spread mainly across the US.

At least eight Android TV boxes were found with malware

The Human Security report found eight Android TVs linked to massive cybercriminal activity. The eight exposed models are T95, T95Z, T95MAX, X88, Q9, X12 Plus, and MXQ Pro 5G. As evident, they aren’t brand-name devices or at least come from obscure, unknown brands. But they’re all coming out of China. And they’re all shipped with malware built right into the hardware. 

The preinstalled malware — more specifically, a backdoor called Triada — works silently and the user is never aware of any malicious activity. Once they plug in the infected Android box, it phones back to servers in China, giving hackers complete control over the device. It then becomes part of a vast network of “zombie” devices. The network does ad-click injection, steals access to residential networks, serves DDoS attacks, and silently engages in cryptomining.

Human Security has already confirmed 8 Android TV boxes with preloaded malware, but the actual number could be 200. The suspected Android devices create a global network of more than 74,000 infected nodes. The web is mainly centered in the US, infecting devices in homes, offices, and schools. “They’re like a Swiss Army knife of doing bad things on the internet. This is a truly distributed way of doing fraud,” Gavin Reid, Human Security’s CISO, remarked.

Funding for the Operation

The report from Human Security has two parts — Badbox and PeachPit. Badbox covers the network of infected Android TV boxes. PeachPit is an app-based fraud operation that funded BadBox. At least 39 Android and iOS apps, freely available on the Play Store and App Store, were involved in PeachPit. They spoof traffic and deliver malicious or hidden ads. 

PeachPit apps have 15 million downloads on the Google Play Store alone. And they have affected 121,000 devices. Researchers also calculated that the fraud could have generated at least $2 million monthly.

Hacker Activity is Slowing Down

Google has already removed the identified apps from the Play Store. Apple has also found five apps breaking its guidelines on the AppStore. Their developers have two weeks to comply with the guidelines. 

Since the discovery, the hacker activity of Badbox has also dropped off. Attackers are powering down servers that talk to the Android TV malware. As of now, the infected devices are sleeper agents. The malware is still there. And it can only be detected or removed with significant technical expertise. 

Human security cautions consumers to get branded Android TV boxes and allow untrusted IoT devices onto your home network. “Friends don’t let friends plugin weird IoT devices into their home networks,” Reid warned.