Cybersecurity experts at Human Security and the Satori Team from HUMAN have recently discovered a vast network, named BADBOX, of consumer products with compromised firmware being sold through a tainted hardware supply chain.
Key Details of BADBOX
- Presence of firmware backdoors in at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes across the globe.
- Affected products have penetrated public school networks in the US.
- Chinese manufacturers have been implicated in compromising the supply chain to implant these backdoors.
- The backdoor is rooted in the Triada malware, historically spotted in several low-cost Android smartphones.
Understanding the Triada Backdoor
The Triada Trojan, first identified by Kaspersky Lab in 2016, was considered the most sophisticated mobile threat at the time of its discovery. Its unique features include:
- Primarily aimed at financial frauds, especially manipulating SMS transactions.
- Modular architecture, granting it extensive capabilities.
- Ability to implement its code in the Zygote parent process, allowing it to run across all device applications.
- Complete removal requires a total device wipe and OS reinstallation.
History has recorded incidents where the Triada Trojan was pre-installed on various brand-new devices. This is not the first time devices have been shipped with pre-installed malware.
Impact and Modus Operandi
- Allows the injection of additional modules, granting cybercriminals diverse fraudulent capabilities.
- Enabled creation of fake Gmail and WhatsApp accounts, and unauthorized code deployment.
- One specific ad fraud scheme, named PeachPit, exploited this backdoor, affecting a significant number of Android and iOS devices. This resulted in an average generation of 4 billion ad requests daily.
- While PEACHPIT has currently been disrupted, other components of the BADBOX network lie dormant.
The PEACHPIT Scheme
The report by Human Security provides insight into a module of PEACHPIT that facilitates the creation of hidden WebViews. These are utilized to request, render, and click on ads, manipulating the source and type of ad requests.
Discovery and Investigation
In 2022, the Satori Team identified an Android app with suspicious activity. Further investigations unveiled connections to the flyermobi[.]com domain. Simultaneously, researcher Daniel Milisic discovered a link between a T95 box and flyermobi, emphasizing the need for a thorough examination of this device.
T95 Devices: A Hidden Threat
T95 devices, disguised as standard TV streaming units, play a pivotal role in the BADBOX scheme. These generic devices are easily customizable and distributable, making them perfect candidates for the malicious network.
Deep Dive into BADBOX’s Core
The heart of BADBOX, Corejava, underwent a thorough examination by Satori. The research revealed modifications in the libandroid_runtime.so, a crucial component of the Android OS. Decrypting it exposed the com.jar APK, which connects to a C2 server, aligning the infected device in the BADBOX network.
Chinese manufacturers are prominently featured in the BADBOX narrative. The role they play in embedding such firmware backdoors raises questions about quality checks and security protocols in place. Manufacturers globally need to adopt stringent measures to ensure that their products are not tampered with. This includes:
- Regular third-party security audits.
- Adopting a zero-trust model for their supply chain partners.
- Implementing advanced detection mechanisms to identify and remove potential threats before devices hit the market.
Recommendations and Conclusions
The average user faces considerable challenges in attempting to remove BADBOX. Given that the malware is embedded in a read-only partition of the device firmware, eradication is complex. The research teams advise users to:
- Opt for familiar brands when selecting new devices.
- Stay informed about potential threats and exercise caution with unknown brands.
- Refrain from downloading unverified applications and files.
For more detailed insights and findings, refer to the full report by Human Security.
The menace of pre-installed malware is not new to the cybersecurity landscape, but the scale and sophistication of BADBOX certainly set it apart. With global supply chains for consumer electronics being as intricate as they are, the chances of malware like BADBOX infiltrating devices at the production or distribution level increase. The revelation of this malware serves as a wake-up call for manufacturers, retailers, and end-users alike.