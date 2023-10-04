Thousands of unsuspecting individuals who own cheap Android TV devices have fallen victim to malware infections and fraud schemes, according to cybersecurity firm Human Security. The company discovered that the T95 Android TV streaming box was infected with malware, revealing the extent of the problem. Human Security researchers found backdoors installed on seven Android TV boxes and one tablet, with signs of potentially 200 different models of Android devices impacted. The affected devices are found in homes, businesses, and schools across the US.

These cheap Android streaming boxes, often sold for under $50, are commonly unbranded or sold under different names, making it difficult to trace their source. Human Security found evidence of an Android app connected to the domain flyermobi.com, which appeared to be linked to inauthentic traffic. The researchers purchased the T95 box and multiple others and discovered that a firmware backdoor was added to the devices before reaching resellers. This backdoor, based on the Triada malware, modifies the Android operating system, enabling access to installed apps and creating a connection to a command and control center in China.

The compromised Android devices have been linked to various types of fraud, including advertising fraud, residential proxy services, creation of fake accounts, and remote code installation. Fraudsters were selling access to residential networks commercially, claiming to have access to millions of home and mobile IP addresses.

Security firm Trend Micro has also encountered similar backdoored Android devices in China, with one threat group claiming to have infected over 20 million devices worldwide. The supply chain infiltration makes it difficult for manufacturers to detect these compromised devices.

In addition to the Badbox findings, Human Security discovered a related app-based fraud operation known as Peachpit. This malicious activity was present on the TV boxes, Android phones, and iPhones. The company identified 39 apps involved in this fraud, performing actions such as hidden advertisements, spoofed web traffic, and malvertising. Though the individuals behind Peachpit appear different from those involved in Badbox, there is likely some form of collaboration.