Supply chain, Malware, Ransomware, Phishing

China-based Supply Chain Cyberattacks Hit Thousands of Android Devices

Warning icon on a digital LCD display with reflection.

Human Security has disrupted a sophisticated, ongoing digital supply chain threat operating out of China targeting Android devices, the company said.

The cyber defender, which specializes in disrupting bot attacks, digital fraud and abuse, said it impeded a “key monitization mechanism” of a number of criminal operations involving “backdoored” off-brand mobile and CTV Android devices sold to end users through retailers in China.

74,000 Android Infections Found

Here are some key observations by Human’s Satori threat intelligence and research team, which said it witnessed some 74,000 infections on Android-based mobile phones, tablets and CTV boxes:

  • The campaign, dubbed Badbox, uses Triada malware, was first uncovered in 2016, as a backdoor on physical devices such as CTV boxes, smartphones, and tablets running Android during the supply chain process in China.
  • Badbox-infected devices can steal personally identifiable information (PII), establish residential proxy exit peers, pilfer one-time passwords, create fake messaging and email accounts, among other fraud schemes.
  • The average user cannot fix Badbox-infected devices because the malware used to deploy the backdoor connects with a command-and-control server on booting up for the first time, even after restoring the device to factory defaults.
  • Products containing the backdoor malware have been found on public school networks throughout the U.S.

“The Badbox scheme is an incredibly sophisticated operation, and it demonstrates how criminals use distributed supply chains to amplify their schemes on unsuspecting consumers who purchase devices from trusted e-commerce platforms and retailers,” said Gavin Reid, Human's chief information security officer. “This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised. Of the devices Human acquired from online retailers, 80 percent were infected with Badbox, which demonstrates how broadly they were circulating on the market.”

Baxbox Campaign Uses Fake Clicks to Defraud Advertisers

In another scheme, a year ago Human discovered an advertising fraud variant of Badbox in a ruse using fake clicks to defraud advertisers and the ad technology ecosystem.

Here are some details of that campaign:

  • The apps, dubbed Peachpit by the Satori team, accounted for about four billion ad requests a day. At one point, Peachpit-associated apps appeared on 121,000 Android devices and 159,000 iOS devices in 227 countries and territories.
  • The collection of 39 Android, iOS, and CTV-centric apps impacted by the scheme were installed more than 15 million times before the apps were taken down.
  • No iOS devices were themselves impacted by the Badbox backdoor. They were targeted only by the Peachpit ad fraud attack through malicious apps.
  • The off-brand devices discovered to be infected were not Play Protect certified Android devices.

Human said it collaborated with Google and Apple to disrupt the Peachpit operation and shared information with law enforcement about the Badbox campaign.

“The cybercriminals behind Peachpit utilized methods such as hidden advertisements, spoofed web traffic and malvertising to monetize their scheme and defraud the advertising industry,” said Marion Habiby, Human data scientist.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.