Researchers find backdoor in thousands of generic Android set-top boxes

Caveat emptor: We all love a good deal, but sometimes, when pursuing them, we prove the adage, "You get what you pay for." Security researchers discovered thousands of cheap Android streaming boxes with firmware backdoors actively connected to command-and-control (C2) servers in China.

In January, security researcher Daniel Milisic found that a cheap, unbranded streaming box, only designated T95, was infected with unremovable malware seemingly straight from the factory. Several other researchers confirmed that the Android-based system was infected with a backdoor installed sometime before reaching retailers. However, more recent research claims that the problem may be more widespread than expected.

Human Security just revealed it has discovered seven Android streaming boxes with similar backdoors to the T95. It also found one tablet and the signs of at least another 200 Android device models that may be compromised. The research firm told Wired that it had tracked the devices and found them in US residences, schools, and businesses. It also found and took down an ad scam that likely funded the criminal operation. And what these devices do is illegal.

"They're like a Swiss Army knife of doing bad things on the Internet," Human Security CISO Gavin Reid said. "This is a truly distributed way of doing fraud."

Human Security has designated the infection as Badbox and the malicious advertising campaign as Peachpit.

The seven boxes impacted by Badbox are unbranded equipment manufactured in China. The researchers say the hackers could have installed the firmware backdoor sometime after the devices left the plant and before reaching resellers. The only real identifying markings on the devices appear to be model numbers rather than names. They include the original T95 found in January, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G. The generic Android tablet is simply identified as J5-W.

The malware is based on Triada, first discovered by Kaspersky in 2016. It slightly modifies the Android OS to allow it to access apps installed on the device. Then, it sets up communication with a C2 server.

"Unbeknownst to the user, when you plug this thing in, it goes to a command and control (C2) in China and downloads an instruction set and starts doing a bunch of bad stuff," Reid says.

Some of the "bad stuff" Reid mentions specifically includes advertising fraud, creating fake Gmail and WhatsApp accounts using the connections, and remote code installation. The bad actors also sell access to compromised home networks so other criminals can use the node as a proxy for illegal activity.

Human Security notes that the hackers were selling access to nodes on the dark web and claimed to have access to over 10 million home IP addresses and seven million mobile IPs. Fortunately, Milisic reports that the C2 hubs the malware connected to have been taken down, so the backdoor is effectively neutered for now. However, the malware is still in place and could conceivably be reactivated with new servers.

Additionally, the are several million similar cases unrelated to Badbox. Trend Micro studied a similar malware campaign with as many as 20 million impacted devices, which shows just how widespread the problem may be when looked at as a whole.

Buyer beware: That cheap streaming device could turn your home network into a hacker hub without you even knowing it. A good rule of thumb in this case would be if it doesn't have a brand name, it's probably best to take a hard pass.