A cyber-criminal operation known as BADBOX has been exposed for selling off-brand Android devices on popular online retailers and resale sites. These devices [2] [4] [5] [7] [8] [9], originating from repackaging factories in China [7] [8], are infected with the Triada malware [2] [5] [7] [8]. Over 74,000 devices worldwide [5] [6], including some in schools [4] [6], have shown signs of infection [5], allowing for the theft of personally identifiable information and the execution of fraudulent activities [5]. The ability of BADBOX to infiltrate trusted e-commerce platforms and retailers makes it particularly dangerous [5].


Researchers from Human Security have discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box [1]. The malware, known as BADBOX Triada [1] [5], has been found on seven Android TV boxes and one tablet [1], with signs of potentially impacting 200 different models of Android devices [1]. These infected devices are located in homes [1], businesses [1], and schools across the US [1].

Furthermore, Human Security has also discovered an ad fraud module called PEACHPIT within BADBOX, which conducted similar ad fraud independently [5]. Working with Google and Apple [2] [3], Human Security was able to disrupt the PEACHPIT operation and protect the advertising industry from fraudulent schemes [5]. HUMAN’s MediaGuard was able to disrupt the PEACHPIT ad fraud botnet [9], cutting into the profits of the larger BADBOX empire [9].

The investigation found that the BADBOX backdoor, based on the Triada malware discovered by Kaspersky in 2016 [4] [6], has infected at least 74,000 Android devices worldwide [4], including some in schools [4] [6]. These infected devices have backdoors installed [4], allowing access to the applications installed on them [4]. The malware connects to a command and control server in China and carries out malicious activities such as ad fraud [4], selling access to home networks [4], and creating fake accounts [4].


While Peachpit has been disrupted [3], the threat actors behind Badbox may be reconfiguring their schemes [3]. The Badbox scheme is difficult to detect [3], with 80% of devices acquired from online retailers found to be infected [2] [3] [7] [8]. The malware used in Badbox cannot be fixed by the average user [3]. The report published by Human Security provides a list of the malicious Peachpit application bundles and advises users to uninstall them [3]. HUMAN Security aims to raise the cost to attackers and disrupt the economics of cybercrime [2]. They have also shared information with law enforcement about the facilities involved in creating the infected devices [2].


[1] https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/
[2] https://finance.yahoo.com/news/human-disrupts-digital-supply-chain-102700153.html
[3] https://www.helpnetsecurity.com/2023/10/04/backdoored-android-devices/
[4] https://www.ruetir.com/2023/10/buying-an-android-deco-is-dangerous-there-are-more-than-70000-infected-with-malware/
[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/
[6] https://www.gearrice.com/update/there-are-more-than-70000-malware-infections/
[7] https://markets.financialcontent.com/stocks/article/bizwire-2023-10-4-human-disrupts-digital-supply-chain-threat-actor-scheme-originating-from-china
[8] https://www.finanznachrichten.de/nachrichten-2023-10/60279312-human-security-inc-human-disrupts-digital-supply-chain-threat-actor-scheme-originating-from-china-004.htm
[9] https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box