A recent report by cybersecurity experts has uncovered a concerning issue with the T95 Android TV streaming box, a low-cost Chinese-made device [3]. It has been found to be infected with preloaded malware known as Badbox, which is based on the Triada malware [4]. This malware has been confirmed by other security experts, and it is not the only device affected. Seven other streaming box models and one Android tablet have also been found to contain malware. These devices are part of a larger operation called “Bandbox,” which involves a global network of consumer products with firmware backdoors.


The T95 devices, when turned on [4], activate the Badbox malware and download stage-two malware from a command and control server [4]. This malware connects to a botnet called Peachpit and engages in various malicious activities such as ad fraud, proxy services [1] [2], fake accounts [1] [2], and unauthorized code installation [1] [2]. The impact of this operation is significant, with approximately 200 compromised devices found in American households, businesses [2] [3], and schools [2] [3]. Furthermore, a fraudulent advertising campaign associated with multiple apps on iOS and Android was dismantled [3]. Google and Apple have taken action by removing the malware-ridden apps from their respective app stores.

These streaming boxes [1] [2] [3], which retail for less than $50 [3], are available online and in tech stores under various brand names [3]. The devices had a firmware backdoor that allowed unauthorized access to data from installed apps [3]. The Badbox malware was primarily used for ad fraud, residential proxy rights sales [3], setting up Google and WhatsApp accounts [3], and remote malware installation [2] [3]. The researchers also discovered a ghost company in China that was involved in high-tech crimes. Additionally, the Peachpit segment of the operation involved malware-infested apps that executed various online criminal activities [3], affecting both iOS and Android devices [3]. These corrupted apps were capable of concealed ads [3], boosting website traffic [3], and conducting malicious ad operations.

The impact of this malware is widespread, with approximately 121,000 Android and 159,000 iOS devices being affected [3], resulting in an estimated $2 million in monthly fraud [3]. To prevent infection [1], Human Security recommends avoiding off-brand devices and clone apps [1]. It is crucial for the cybersecurity community to continue researching the supply chain that allowed this threat to develop [1]. Despite the removal of the fraudulent advertising campaign, the infected devices are still present in homes [2], businesses [2] [3], and schools [2] [3], posing a significant risk to users’ security and privacy.


The discovery of the Badbox malware in the T95 Android TV streaming box and other devices highlights the need for increased vigilance in the cybersecurity landscape. The impact of this operation has been significant, with compromised devices found in various settings and a fraudulent advertising campaign dismantled. However, the presence of infected devices continues to pose a risk to users’ security and privacy. Mitigating this threat requires ongoing research into the supply chain and the adoption of preventive measures such as avoiding off-brand devices and clone apps. By addressing these issues, the cybersecurity community can work towards ensuring a safer digital environment for all users.


[1] https://www.darkreading.com/vulnerabilities-threats/badbox-operation-targets-android-devices-in-fraud-schemes
[2] https://tribune.com.pk/story/2440108/many-android-devices-come-with-unkillable-backdoor
[3] https://securityonline.info/from-badbox-to-peachpit-malware-unraveling-androids-multi-million-dollar-scam/
[4] https://www.techradar.com/pro/security/cheap-android-tv-boxes-shipped-with-unkillable-malware-heres-what-you-need-to-know