Non-Brand Chinese Android Device Backdoor Attack: An Overview

A report from Human Security has been making the rounds and seems to indicate a far-reaching problem on malware in Android devices. I think it is important to review the findings of the report here. According to the report, non-brand Chinese manufacturers of Android-based devices, including smartphones, tablets, and CTV boxes, have been discovered distributing products infected with a firmware backdoor based on the notorious Triada malware. The infiltration happens at some point between the manufacturing phase and their final delivery to resellers, physical retail stores, and e-commerce warehouses. When unsuspecting users turn on these compromised devices, the fraud activates, potentially causing significant financial and security risks.

Triada Malware’s Mechanism of Action

Triada malware, first identified in 2016, manipulates the core process of the Android operating system. By integrating itself into this process, Triada embeds within every application on the device, including essential system functions like text messaging. One of its notorious functionalities is intercepting payment-related text messages and altering the links to divert payments to the attackers. The deep-rooted access it gains makes it a formidable tool for cybercriminal activities.

Upon activation, infected devices connect to specific C2 (Command and Control) servers. These servers exploit the backdoor to inject additional modules into the device memory, amplifying the threat actors’ capabilities. With these capabilities, attackers can execute various types of frauds, establish residential proxy exit nodes, create counterfeit Gmail and WhatsApp accounts, and remotely install unauthorized codes.

Peachpit: The Ad Fraud Segment

A particular component introduced by the C2 servers is capable of creating hidden WebViews on the infected devices. These concealed WebViews are manipulated to request, render, and interact with ads, masquerading the requests to appear as if they originate from different apps, devices, or websites. Termed as Peachpit, this module is central to the Badbox operation and its ad fraud mechanism. It possibly finances the entire cyber operation.

Beyond this, Peachpit is associated with a set of 39 apps designed for Android, iOS, and CTV platforms. These apps contain direct links to a fabricated supply-side platform (SSP). When activated, the SSP sends back an ad that incorporates a specific JavaScript code into a WebView. This code falsifies details about the device the app operates on before generating another ad request.

During its zenith, Peachpit compromised about 121,000 Android and 159,000 iOS devices, triggering an average of 4 billion ad requests daily. It’s worth noting that while Android devices were affected by the Badbox backdoor, iOS devices were only compromised by Peachpit apps available across many major app stores.

Residential Proxy and Other Malicious Activities

Badbox’s residential proxy module converts each infected device into a node for a global residential proxy network. This conversion permits attackers to sell access to users’ networks, potentially leading to criminal activities that can be traced back to the innocent device owner.

The infected devices can be harnessed to create unauthorized WhatsApp messaging accounts by capturing one-time passwords. They can also generate Gmail accounts, bypassing conventional bot detections. Such accounts can serve various malicious intents: from devising fake apps, registering on exclusive WhatsApp channels, or executing cybercrimes that point to the device owner.

The Badbox backdoor’s connection with the C2 servers allows attackers to introduce new apps or code to the infected devices, facilitating real-time updates to their malicious schemes.

Countermeasures and Current Status

By the time of reporting, Human Security found the Peachpit operation had been notably hampered. Ad fraud-related traffic linked to this scheme dwindled to below 1% of its peak, owing to countermeasures executed by Human Security. Despite this, the remaining segments of Badbox are in a dormant state. The C2 servers, which were the driving force behind the Badbox backdoor, have been deactivated by the attackers, presumably to adapt their strategy against the defenses set up by Human Security and other entities.

The Permanence of BadBox

In Singapore, there are reports of $875,000 being lost in September alone to Android malware ad scams. That’s one report and it is hard to find a quantification of the actual damages. Unfortunately, a critical drawback of Badbox is its permanent nature. Positioned on the read-only partition of the device firmware, it’s nearly impossible for average users to purge Badbox from their gadgets. Given that Badbox predominantly plagues low-cost, non-mainstream devices, the Satori team’s guidance is straightforward: users should prioritize well-known brands when considering new device purchases. Play it safe.