Impact of Badbox and Peachpit Malware on Android Devices

We explore the Badbox and Peachpit malware on Android, which granted illegitimate users backdoor access to Android devices and home networks. It details how the Triada mobile trojan formed the basis for Badbox, infecting over 74,000 devices by modifying Android OS and remaining hidden.

Does malware come to mind when you think about streaming devices and televisions? You may have to reconsider that thought following the emergence of Badbox and Peachpit, two malware-based schemes that grant illegitimate users backdoor access to hardware devices and home networks.

Badbox operates on the Triada trojan, a mobile trojan that uses modification and invisibility to compromise mobile devices. Launched in 2016, the Triada trojan tweaks root access on devices to collect information (e.g., device model, OS version, and details about installed applications) before sending them to servers controlled by cybercriminals to steal data or input malicious commands.

The Triada malware modifies the root system in Android OS (specifically the Zygote process) to obtain elevated privileges and evade security checks. The Triada trojan stays hidden by concealing its system functions and modules from the running processes on devices.

In 2019, Google reported that Triada evolved from a rooting trojan that used code injection and unsanctioned app installs to exploit devices to include additional code in the log function in the Android framework. The extra code runs non-stop and lets Triada create a backdoor for Android apps. Third-party suppliers inadvertently spread Triada during their production process.

The Triada evolution in 2019 formed the bedrock for Badbox’s distributed fraud services. Gavin Reid, CISO at Human Security, backed the sentiment in his Badbox analysis. ‘Unbeknownst to the user, when you plug this [Badbox-infected device] thing in, it goes to a command and control (C2) in China, downloads an instruction set, and starts doing a bunch of bad stuff’, Reid said.

In late 2023, the Human Security research team explained that China-made cheap, unbranded streaming boxes are couriers of Badbox. The Human Security team corroborated the reports that Canadian security consultant Daniel Milisic made in January 2023. The consultant discovered that e-commerce platforms like Amazon and AliExpress sold T95 Android TV boxes laced with Badbox-esque malware.

Researchers believe that China is the manufacturing source of Badbox malware in streaming boxes. But they’re unsure of the exact stage in the supply chain at which illicit firmware doors joined the mix. However, the effects of Badbox on devices are an open secret. The malware impacted at least 74,000 Android-based mobile devices and connected TVs (CTVs) in 2023. Likewise, Peachpit—the app-based fraud element of Badbox—affected 121,000 Android phones. But unlike Badbox, Peachpit took its devastating form on iPhones, inflicting 159,000 iOS devices.

Cybercriminals use Badbox-induced access to create fake email and WhatsApp accounts, remotely install unauthorized code, and sell access to home networks after creating residential proxy services and access points. Advertising fraud—the operation that hides ads, spoofs web traffic, and implements malvertising—is the domain of Peachpit.

Peachpit fraud schemes started with the Triada-based Badbox malware in 2019, when spam apps displayed ads on devices, causing battery drains, while cybercriminals secretly syphoned ad-based revenues. In 2022, the Badbox malware added a new dimension to their operations, which the Satori threat investigation team code-named Peachpit.

Peachpit uses app spoofing to spread malware-infested traffic. The malware also utilizes programmatic advertising to sell its self-created fake impressions, enabling cybercriminals to profit from fraudulent impressions and spoofed apps. Peachpit affects Android and iOS devices available on app marketplaces and every app on Badbox-infested devices with backdoors. However, Peachpit can successfully carry out its fraudulent operations without Badbox backdoor access.

Peachpit’s damaging effects are seismic. At its peak, Peachpit botnets processed four billion fraudulent requests a day, directly affecting 20 Android apps, 16 iOS apps, and 3 CTV channels. Furthermore, the Human Security team observed Peachpit-esque traffic in 227 countries and territories and 15 million downloads for Android apps, with cybercriminals reportedly making $2 million per month from Peachpit.

Cybersecurity organizations, such as Human Security and Kaspersky, routinely analyze the evolving tactics of Badbox variants. For instance, Kaspersky explained the techniques that the Triada trojan used to infect Android devices in 2016. In 2017, Dr. Web explained the preinstalled backdoor variant of the Triada trojan.

The findings from Kaspersky and Dr. Web laid the groundwork for Google’s security intervention. In 2018, Google pushed over-the-air (OTA) updates to remove the Triada infection from Android devices. It also provided system updates for Triada-infected original equipment manufacturers (OEMs) to reduce the spread of Triada variants.

HUMAN, the security firm, released a dossier about the activities of Badbox and its cousin Peachpit, detailing the working modules of Badbox. The report explained that the security of Triada-esque malware falls on OEMs like Google and Apple, not the average user. “Since the malware [Badbox and its family] is located on a read-only (ROM) partition of the device firmware, the average user won’t be able to remove Badbox from their products.”

The security firm claimed it clipped the fraud wings of Badbox after collaborating with Google and Apple. “As of the writing, Peachpit has been disrupted, while the other components of Badbox are dormant,” HUMAN revealed in its latest report.

Google spokesperson Ed Fernandez confirmed the collaboration with HUMAN, claiming it removed 20 Android apps that violated security and compatibility tests as part of the war against unbranded, Badbox-filled devices. “The off-brand devices discovered to be Badbox-infected were not Play Protect-certified Android devices,” Fernandez said. Apple, like Google, also removed five apps that the HUMAN team highlighted as Badbox carriers.

Cyberthreats are growing more advanced, from sophisticated malware to inside attacks. BlackFog provides complete protection against these risks. Our enterprise solution delivers behavioural analysis, anti data exfiltration, insider threat prevention, and ransomware protection across endpoints. We stop cyberthreats in their tracks before damage occurs.

BlackFog reinforces compliance and secures sensitive data wherever it resides. Our adaptive next generation technology empowers organizations with cyber resilience. Let our advanced technology provide the layered security you need to defend against cyberattacks including ransomware and extortion. Schedule a free assessment and get insight into your current vulnerabilities.