BADBOX puts malware into the hardware supply chain.

Security firm HUMAN has disrupted “a key monetization mechanism of a sophisticated series of cybercriminal operations involving backdoored off-brand mobile and CTV Android devices, sold to end users through major retailers originating from repackaging factories in China.” 

BADBOX embeds Triada malware into devices.

The campaign, dubbed “BADBOX,” uses the Triada malware “to steal personally identifiable information, establish residential proxy exit peers, steal one-time passwords, create fake messaging and email accounts, and other unique fraud schemes.” 

HUMAN worked with Google and Apple to disrupt the ad fraud portion of BADBOX, dubbed “PEACHPIT.” Additionally, the researchers “shared information about the facilities at which some BADBOX-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the PEACHPIT operation.”

The risk of compromised devices in the supply chain.

Roger Grimes, data-driven defense evangelist at KnowBe4, offered some observations on the discovery. For one thing, it’s not an entirely new problem.

“Compromised devices directly from vendors have been a problem for decades, but luckily for us, not super common,” he wrote in emailed comments. “But this instance shows that these are still viable and active attacks. They are more likely to NOT be caught by the end user because who expects their brand new device to be compromised? The first question investigators need to answer is if the device compromises were intended. Were the vendors aware of the backdoors and were they knowingly complicit in the compromise of their customers? Or were they unaware that their devices had been compromised in the supply chain or on the factory floor? If it's the latter, what steps are the involved vendors taking to make sure it doesn't happen again?”

Grimes points out one very useful initial screen–don’t purchase from unknown or knock-off sources. “Buyer beware. Don't buy devices from new or relatively known vendors if you cannot completely trust them. It just isn't worth the savings. Instead go with reputable vendors who have earned customer trust over the long-run. It doesn't mean that a trusted vendor can't get compromised. It happens. But it's less likely to happen and the customer can usually expect better resolution when it does happen.” Or, as we might put it, go ahead and buy an Orioles t-shirt from a guy with a table set up on Eutaw Street, but get your smartphones elsewhere.

BADBOX is a more developed effort than most criminal capers. Gavin Reid, CISO of HUMAN, noted, “The BADBOX scheme is an incredibly sophisticated operation, and it demonstrates how criminals use distributed supply chains to amplify their schemes on unsuspecting consumers who purchase devices from trusted e-commerce platforms and retailers.” 

The malware infestations are common and difficult to detect. Reid adds, “This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised. Of the devices HUMAN acquired from online retailers, 80 percent were infected with BADBOX, which demonstrates how broadly they were circulating on the market.”