If you’re going to buy an unofficial Android device, you should know the risks you’re taking first. The Satori Threat Intelligence and Research Team (via Wired) recently uncovered a new fraud campaign impacting over 1 million unlicensed Android tablets, TV boxes, digital projectors, and more. BADBOX 2.0, as the researchers have dubbed the campaign, involves infecting devices with malware that gives hackers remote access.
It’s worth noting that these are Android Open Source Project devices, which means they are not Play Protect certified like a Pixel or Galaxy phone. This removes a vital layer of security, making the devices attractive targets for threat actors.
“The BADBOX 2.0 operation, like its predecessor [BADBOX], is driven by a backdoor that gives threat actors persistent privileged access on the device,” the research team explains on its blog. “One distribution channel for this backdoor is through a preinstalled app that activates once the device is powered on, while another channel is through downloads by unsuspecting users from third-party/unofficial app marketplaces.”
You can be duped into downloading a malicious app on any device, but these Android devices might be infected before you even take them out of the box. In some cases, an infected device will contact a command-and-control (C2) server and secretly download a file when it powers on for the first time. Without any action on the user’s part, their Android tablet or streaming TV box might become a conduit for hackers, and they won’t know until it’s too late.
Even if you manage to acquire an uninfected device, danger is still lurking online. The research team notes that apps infected with the BB2DOOR backdoor have been added to unofficial app marketplaces, and they’re just as effective once installed.
In all, BADBOX 2.0 traffic has been observed in 222 countries and territories worldwide. That said, the researchers found that more than a third of the infected devices are located in Brazil, where third-party AOSP devices are especially popular.
“Though we can identify the threat actor groups behind the various components of the operation, a true takedown of this threat remains elusive, as the supply chain of compromised devices is still intact,” the Satori team concludes.
