A cyber-criminal operation known as BADBOX has been exposed for selling off-brand Android devices on popular online retailers and resale sites. These devices      , originating from repackaging factories in China  , are infected with the Triada malware    . Over 74,000 devices worldwide  , including some in schools  , have shown signs of infection , allowing for the theft of personally identifiable information and the execution of fraudulent activities . The ability of BADBOX to infiltrate trusted e-commerce platforms and retailers makes it particularly dangerous .
Researchers from Human Security have discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box . The malware, known as BADBOX Triada  , has been found on seven Android TV boxes and one tablet , with signs of potentially impacting 200 different models of Android devices . These infected devices are located in homes , businesses , and schools across the US .
Furthermore, Human Security has also discovered an ad fraud module called PEACHPIT within BADBOX, which conducted similar ad fraud independently . Working with Google and Apple  , Human Security was able to disrupt the PEACHPIT operation and protect the advertising industry from fraudulent schemes . HUMAN’s MediaGuard was able to disrupt the PEACHPIT ad fraud botnet , cutting into the profits of the larger BADBOX empire .
The investigation found that the BADBOX backdoor, based on the Triada malware discovered by Kaspersky in 2016  , has infected at least 74,000 Android devices worldwide , including some in schools  . These infected devices have backdoors installed , allowing access to the applications installed on them . The malware connects to a command and control server in China and carries out malicious activities such as ad fraud , selling access to home networks , and creating fake accounts .
While Peachpit has been disrupted , the threat actors behind Badbox may be reconfiguring their schemes . The Badbox scheme is difficult to detect , with 80% of devices acquired from online retailers found to be infected    . The malware used in Badbox cannot be fixed by the average user . The report published by Human Security provides a list of the malicious Peachpit application bundles and advises users to uninstall them . HUMAN Security aims to raise the cost to attackers and disrupt the economics of cybercrime . They have also shared information with law enforcement about the facilities involved in creating the infected devices .