Table of Contents
Streaming Box Malware Discovery
The discovery of the T95 Android TV streaming box malware is attributed to Daniel Milisic, a Canadian developer. His scrutiny of the said device revealed the unsettling truth: the TV box came pre-installed with malware that was operational right out of the box. This unusual and concerning discovery was shared by Milisic on his GitHub, sparking interest and inciting alarm in the tech community. Notably, the apps that seemingly harbored the malware included the infamous Adups, raising red flags among experienced analysts in infosecurity.
Daniel Milisic’s initial discovery of the T95 Android TV streaming box malware
Daniel Milisic's cybersecurity investigation commenced after purchasing the Android T95 TV box from Amazon. His thorough review led to the surprising revelation that this device was infested with malware. Furthermore, what was alarming was the fact that this malware was not acquired post purchase; rather, it was pre-installed with certain unusual and suspicious apps, such as Adups.
Multiple researchers confirm the findings
Following Milisic's groundbreaking revelation, other researchers in the field also decided to scrutinize this particular device. Consequently, their independent analysis mirrored Milisic's initial findings, consequently affirming the veracity of his discovery. It thus became evident that these seemingly innocent TV box devices were, in fact, a vehicle for transporting malware into unsuspecting consumers' homes.
Human Security company’s research revealing a broader scope of infected devices
Human Security, another influential entity in cybersecurity, conducted extensive research in light of Milisic's revelation. Their findings were even more alarming: the issue was not limited to the T95 Android TV streaming box. A myriad of such devices were found to be plagued with the same pre-installed malware issue, confirming the extensive reach and critical nature of this security issue.
The Infected Devices and their Functions
In the course of the extensive research that ensued after Daniel Milisic’s initial discovery, it was revealed that the problem of pre-installed malware was not isolated to the T95 Android TV box. Further investigations confirmed the presence of backdoors in several other TV box models and even a tablet, making the threat more pertinent and widespread than initially expected. Furthermore, signs of impact were found on over 200 different models of Android devices. Intriguingly, these infected devices are believed to play a role in a related ad fraud operation named "Peachpit".
Seven Android TV boxes and one tablet confirmed to have the backdoors installed
The follow-up research revealed the disturbing fact that the malware issue permeated a wider range of devices. In total, seven different models of Android TV boxes and one tablet model were confirmed to have the nefarious backdoors pre-installed. This unexpected revelation broadened the scope of the issue, intensifying concerns over the safety of Android devices.
Signs of impact on 200 different models of Android devices
The adverse impact of this malware crisis became more pronounced when Human Security's research revealed that it potential impacted over 200 different models of Android devices. This finding underlined how extensive and insidious this problem had become, highlighting the urgent need for extensive cybersecurity solutions.
Contextualization of the devices’ role in a related ad fraud operation named Peachpit
Parsing the signals from the infected devices led to the unearthing of the operation code-named "Peachpit", which was identified to be an ad fraud operation. The function of the infected devices (i.e the Android TV boxes and tablet) in this operation was to inflate ad impressions by running in the background without arousing the suspicion of the device owner, thereby earning money for the fraudsters illegally controlling the operation. This hidden operation revealed another dark dimension of the pre-installed malware crisis, showcasing the critical nature of the threat posed by these devices.
Origin and Impact of the Fraudulent Behavior
The malicious behavior of the pre-installed malware on these Android devices can be traced back to specific sources. Further analysis linked the malware to the domain flyermobi.com and identified similarity with the notorious Triada malware that was uncovered in 2016. Moreover, the fraudulent actions of the malware were found to be connected to the unethical selling of residential network access, thereby extending the scope of its impact.
Connection of malware to the domain flyermobi.com
Unveiling the mystery behind the origin of the malware led to the discovery of a direct connection with the domain flyermobi.com. This link was critical in understanding the detailed operations and spread of the malware across a variety of Android devices, including the TV boxes and a tablet.
Backdoor based on the Triada malware spotted in 2016
The malware's backdoor was found to be strikingly similar to the Triada malware that was detected back in 2016. This notorious malware is known for its sophisticated code, ability to gain superuser access, and bearer of complex monetizing features. That the pre-installed malware on the TV boxes and tablet bear resemblance to Triada underscored the severity and stealth of this fraudulent behavior.
Connection of fraud to commercial selling of residential network access
The investigation also detected a connection between the fraudulent behavior of the malware-infected devices and the unethical commercial selling of residential network access. This revelation meant that not only were these devices a medium for ad fraud operations but they could also be used by cybercriminals to harness residential network traffics illicitly, thereby exacerbating the consequences of this Android device malware crisis.
Actions Taken and Precautions for Consumers
In the face of this extensive malware crisis, proactive measures were undertaken to safeguard consumer interests and restore security. Notably, Human Security collaborated with law enforcement agencies and fiercely combated various elements of advertising fraud. Moreover, Google and Apple also contributed by removing the implicated apps from their respective stores. As a precautionary measure, consumers are advised to purchase their TV streaming devices from trusted and reputed brands.
Human Security’s work with law enforcement and action against advertising fraud elements
Human Security, the firm behind the large-scale exposure of this malware crisis, actively collaborated with law enforcement teams to counter the fraudulent practices that the malware-infected devices were executing. Concentrating its efforts particularly against the advertising fraud elements of Badbox and Peachpit, the firm was successful in significantly curbing the fraudulent ad request activities. However, potential threats still exist as infected boxes continue to reside in people's homes.
Removal of associated apps from Google Play Store and Apple’s response
In response to Human Security's report, Google took action by removing the 20 Android apps associated with the malware activity from the Play Store. Correspondingly, Apple also found five apps that breached their guidelines. The developers of these apps were given a fortnight to comply with policies, failing which, the apps would be removed. Four of the apps have successfully complied as of the time of reporting.
Advice for consumers to purchase branded devices from trusted manufacturers
Given the chronicle of events, it has become evident that purchasing off-brand devices presents substantial security risks. Hence, it is imperative that consumers buy TV streaming boxes from clear and trusted manufacturers, primarily to avoid the embedment of harmful backdoors into their devices. As Human Security's Reid rightly points out, "Friends don't let friends plug in weird IoT devices into their home networks."
