Dangerous backdoor discovered in cheap Chinese TV set top boxes from
Software

Dangerous backdoor discovered in cheap Chinese TV set-top boxes from Aliexpress

Last January, cybersecurity expert Daniel Milisic discoveredthat the T95 set-top box with Android TV (e.g. sold on Aliexpress) was infected with malware right out of the box. But that was just the tip of the iceberg: human security revealed (PDF) an entire shadow network connected to infected devices and malicious applications.

    Image source: aliexpress.ru

Image source: aliexpress.ru

Human Security researchers identified seven Android TV set-top boxes and a tablet computer sold with backdoors pre-installed, and identified signs of malicious activity in an additional 200 different models of Android devices. These devices are used in households, educational institutions and companies. Experts likened the project to “a Swiss Army knife that does bad things on the internet.” The scheme includes two directions: Badbox – a network of devices with pre-installed backdoors; and Peachpit, a network of applications through which fraudulent advertising is carried out.

The Badbox direction is mainly occupied by inexpensive Android set-top boxes for under $50, which are sold online and in brick-and-mortar stores. They are unbranded or sold under other names, which helps disguise their origins. These devices generate malicious traffic by accessing the Flyermobi.com domain. Eight such devices have been confirmed: T95, T95Z, T95MAX, X88, Q9, X12PLUS and MXQ Pro 5G set-top boxes, as well as the J5-W tablet computer. Human Security has discovered at least 74,000 infected devices, including in educational institutions across the United States.

They are all made in China and installed at some point with a Trojan-based backdoor Triada, which Kaspersky Lab discovered back in 2016 – it replaces one of the Android components, thereby gaining access to applications installed on the device. The backdoor connects to the command and control server (C2) in China without the user’s knowledge, downloads a set of instructions, and carries out malicious activities. Human Security has identified several types of such activity: advertising fraud; resident proxies, that is, selling access to network resources from victims – owners of infected devices; Register Gmail and WhatsApp accounts; Remote code execution.

Those behind the scheme offered access to their networks, claiming to have access to more than 10 million residential and 7 million mobile IP addresses. According to Trend Micro experts, the program’s organizers have more than 20 million infected devices around the world, 2 million of which are active at any given time. In particular, a tablet computer was discovered in one of the European museums; There is reason to believe that many Android devices are affected, including cars.

    Image source: Gerd Altmann / pixabay.com

Image source: Gerd Altmann / pixabay.com

The second direction is called Peachpit and is associated with malicious applications that are not only present on TV set-top boxes, but are also voluntarily installed by users on Android phones and iPhones. Basically, these are template applications of not very high quality, for example, sets of exercises for pumping up the abdominal muscles or software for recording the amount of water consumed by users. A total of 39 such applications were identified for Android, iOS and set-top boxes. In parallel to their stated functions, these applications also implement deceptive advertising measures and spoof traffic. It is noteworthy that these applications share similarities with malware deployed on Badbox devices.

The network generated up to 4 billion advertising calls per day – 121,000 Android devices and 159,000 iPhones were involved. Researchers estimate that Android apps alone have been downloaded a total of 15 million times. The advertising industry has a fairly complex structure, so researchers do not have a complete picture, but based on the data they have alone, the operators of the system could easily earn $ 2 million per month.

Google spokesman Ed Fernandez said the company removed 20 Android apps from Google Play that were identified by Human Security researchers. He also said that devices with pre-installed backdoors are not certified by Play Protect, meaning Google doesn’t have data on security and compatibility testing results, but the Android website does List of partners. Apple spokeswoman Archelle Thelemaque said the company had contacted the developers of five applications included in the Human Security report – they were given 14 days to fix the errors and four applications no longer posed a threat.

Human Security achieved results by stopping the Badbox and Peachpit programs in late 2022 and the first half of the current year. After the initial actions, the attackers behind the schemes sent updates to the infected devices to hide the activity. Afterwards, the C2 servers that ensured the functionality of the backdoor in the firmware were deactivated. Activity on both systems has dropped dramatically, but people continue to use these devices. Without technical knowledge, removing this malware is very difficult, and now set-top boxes with pre-installed backdoors have become a kind of sleeper agent. Consumers are advised to purchase products whose manufacturers they know and trust.

About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment