China-based Supply Chain Cyberattacks Hit Thousands of Android Devices

Human Security Thwarts Complex Supply Chain Cyber Threat Targeting Android Devices in China

Human Security, a leading cybersecurity defender specializing in combatting bot attacks, digital fraud, and abuse, has successfully disrupted a sophisticated digital supply chain threat originating from China. The threat specifically targeted Android devices and posed a significant risk to unsuspecting users.

Key Highlights of the Operation:

• Human Security's Satori threat intelligence and research team uncovered the threat, dubbed "Badbox," which involved an elaborate supply chain scheme targeting off-brand mobile devices and CTV Android devices sold to consumers in China.

• Approximately 74,000 infections were detected on Android-based mobile phones, tablets, and CTV boxes.

• Badbox leveraged the notorious Triada malware, first identified in 2016, as a backdoor on physical devices during the supply chain process within China.

• Infected devices had the capability to steal personally identifiable information (PII), establish residential proxy exit peers, pilfer one-time passwords, create fake messaging and email accounts, and engage in various fraud schemes.

• Mitigating the threat posed a significant challenge because the malware responsible for deploying the backdoor maintained a connection with a command-and-control server during the device's initial boot-up, even after factory reset attempts.

• The reach of the Badbox campaign extended to public school networks in the United States, raising concerns about the global impact of this supply chain threat.

Gavin Reid, Human's Chief Information Security Officer, emphasized the sophistication and deception of the Badbox operation. He highlighted the challenge faced by consumers who unwittingly purchased compromised devices from trusted retailers.

The prevalence of Badbox-infected devices in the market was alarming, with 80% of the devices acquired from online retailers found to be infected. This underscores the expansive reach of the threat and its circulation through trusted e-commerce platforms and retailers.

Badbox's Fraudulent Ad Scheme:

In a related development, Human Security uncovered an advertising fraud variant of Badbox known as "Peachpit." This variant utilized fake clicks to defraud advertisers and the ad technology ecosystem.

• Peachpit-associated apps were responsible for approximately four billion ad requests per day and appeared on a vast number of Android and iOS devices worldwide.

• A collection of 39 Android, iOS, and CTV-centric apps, impacted by the scheme, had been installed more than 15 million times before their removal.

• iOS devices were not directly affected by the Badbox backdoor; they were targeted exclusively in the Peachpit ad fraud attack through malicious apps.

• The infected off-brand devices were not Play Protect certified Android devices, further highlighting the need for vigilance in the mobile device ecosystem.

Human Security collaborated with Google and Apple to disrupt the Peachpit operation and provided valuable information to law enforcement authorities concerning the Badbox campaign.

Marion Habiby, Human Data Scientist, emphasized the utilization of deceptive methods by cybercriminals in the Peachpit scheme, including hidden advertisements, spoofed web traffic, and malvertising, to monetize their fraudulent activities and defraud the advertising industry.

The successful mitigation of these supply chain threats underscores the importance of collaborative efforts between cybersecurity defenders, tech giants, and law enforcement to protect users and maintain the integrity of the digital ecosystem.