Chinese smart TV boxes infected with malware in PEACHPIT ad fraud campaign • The Register

/in


Infosec in brief Bot defense software vendor Human Security last week detailed an attack that “sold off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites … preloaded with a known malware called Triada.”

Human named the campaign to infect and distribute the Android devices BADBOX. The infected devices were sold for under $50. Human’s researchers found over 200 models with pre-installed malware, and when it went shopping for seven particular devices found that 80 percent of units were infected with BADBOX.

Analysis of infected devices yielded intel on an ad fraud module Human’s researchers named PEACHPIT. At its peak, PEACHPIT ran on a botnet spanning 121,000 devices a day on Android. The attackers also created malicious iOS apps, which ran on 159,000 Apple devices a day at the peak of the PEACHPIT campaign.

Those infected devices delivered over four billion ads a day – all invisible to users.

Human Security’s technical report [PDF] on BADBOX and PEACHPIT describes the campaign: “A Chinese manufacturer (possibly many manufacturers) builds a wide variety of Android-based devices, including phones, tablets, and CTV boxes.

“At some point between the manufacturing of these products and their delivery to resellers, physical retail stores and e-commerce warehouses, a firmware backdoor … gets installed and the product boxes are sealed in plastic, priming these devices for fraud on arrival at their destination.”

Human Security worked with Apple and Google to disrupt PEACHPIT, but warned BADBOX devices remain plentiful.

“Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plug it in, and unknowingly open this backdoor malware,” wrote Human Security’s Rosemary Cipriano. “This malware can be used to steal PII, run hidden bots, create residential proxy exit peers, steal cookies and one-time passwords, and more unique fraud schemes.”

– Simon Sharwood

It’s been four months since mass exploitation of vulnerabilities in Progress Software’s MOVEit file transfer software was publicly announced, and only a little more recent that the Clop ransomware gang added Sony to its list of victims.

In early…

Source…