Rewterz Threat Alert – Thousands of Android Devices Sold with Backdoored Firmware – Active IOCs

Severity

High

Analysis Summary

Researchers have recently discovered a worldwide network of products called BADBOX that have firmware backdoors installed and are being shipped through an infected hardware supply chain. There are at least 74,000 Android phones, tablets, and TV boxes with the backdoored firmware being sold globally. Some of these products have been discovered on public school networks in the U.S.

A compromised supply chain of a Chinese manufacturer was identified to be involved in the backdooring of firmware of multiple products, which are then supplied to resellers, e-commerce warehouses, and physical retail stores. This backdoored firmware used the Triada malware as its base, a backdoor that was found some years ago in many cheap Android smartphones.

The Triada Trojan was first seen in 2016, and it was considered the most advanced threat for mobile devices at the time of discovery. This trojan was made with the intent to commit financial fraud by hijacking SMS transactions. It also possesses a modular architecture, giving it a wide range of capabilities. The only way to remove it from the smartphone is by reinstalling the OS after deleting everything from the device.

A lot of smartphone models were discovered to be shipped with pre-installed malware in 2017 and 2018. The backdoor allows the threat actors to inject additional modules into the compromised device memory, which is used to carry out different types of fraud, establishing proxy exit nodes, creating fake Gmail and WhatsApp accounts, and installing malicious code remotely.

“One of the modules deposited by the C2 servers enables BADBOX-infected smartphones, tablets, and CTV boxes to create WebViews fully hidden from the eyes of the owner. Those WebViews are used to request, render, and click on ads, spoofing the ad requests to look like they’re coming from certain apps, referred by certain websites, and rendered on certain models of smartphones, tablets, and CTVs, none of which are true,” the researchers mentioned in a report.

A scheme involving ad-fraud, utilizing a backdoor, has come to light, known as PEACHPIT. This scheme successfully infected a substantial number of devices, with over 121,000 Android devices and 159,000 iOS devices compromised. These compromised devices were harnessed to generate a staggering average of 4 billion ad requests daily.

Fortunately, the PEACHPIT campaign has been disrupted, and currently, the other elements of the BADBOX network are inactive. The threat actors behind the campaign have taken down the command-and-control (C2) servers used in this operation. However, cybersecurity experts caution that the threat actors retain the ability to reactivate their schemes at any time, potentially resuming their malicious activities. This underscores the ongoing need for vigilance and proactive security measures to protect against such threats.

Impact

• Financial Loss
• Unauthorized Access

Indicators of Compromise

Domain Name

• cbphe.com
• cbpheback.com
• ycxrl.com
• flyermobi.com

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• To enhance cybersecurity, it’s advisable to avoid off-brand devices that lack Play Protect certification.
• Exercise caution when downloading apps, especially copycat or clone versions, and verify their origins.
• If your device displays unusual behavior, such as unexpected ads, consider restoring it to factory settings to eliminate potentially compromised apps.
• Use network monitoring and intrusion detection systems to identify compromised systems.
• Isolate infected systems from the network to prevent further communication with the command-and-control server.
• Activate an incident response plan to coordinate actions and responsibilities among relevant teams within the organization.
• Ensure that all systems, applications, and software are up-to-date with the latest security patches and updates. 
• Implement robust network security measures, including firewalls, intrusion detection and prevention systems, and network segmentation to limit lateral movement.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Enable strong authentication methods, such as two-factor authentication (2FA), for your accounts whenever possible.
• Try to avoid buying off-brand devices, but instead consider purchasing a new device from known and trusted brands.