Millions of Aliexpress TV Boxes Have a Secret Backdoor Used by Scammers

According to a study by cybersecurity company Human Security, at least 1 million Android devices made by little-known brands and sold on Chinese online marketplaces are infected with malware that turns them into a botnet controlled by fraudsters. The devices are infected through malicious apps and firmware, or even at the manufacturing stage.

Image source: Mika Baumeister / unsplash.com

As Wired reports, the Badbox cybercriminal network, which rose to prominence in 2023 for planting secret backdoors in tens of thousands of Android TV boxes used in homes, schools, and businesses, has launched a next-generation campaign, Badbox 2.0, that is larger in scope and even more inventive.

Infected TV streaming boxes, tablets, projectors, and in-car infotainment systems are being used by attackers to commit ad fraud or as part of a proxy service to route and disguise web traffic, without the owners of the compromised devices even realizing it.

According to the study, most of the infected devices are located in South America, primarily in Brazil. In particular, dozens of streaming TV boxes were infected, but the Badbox 2.0 backdoor was mostly distributed in the TV98 and X96 device families, which are widely represented, for example, on Aliexpress. Almost all of the target devices use open-source Android, meaning they run versions of Android that are not part of Google’s secure device ecosystem.

Google said it worked with researchers to remove publisher accounts linked to the fraud and block those accounts from earning revenue through Google’s advertising ecosystem.

The Badbox 2.0 project uses traditional malware distributed through, for example, drive-by downloads, where a user accidentally downloads malware without realizing it.

Researchers from several firms believe the current campaign is being carried out by multiple cybercriminal groups, each with their own versions of the Badbox 2.0 backdoor and malicious modules, and distributing the software in different ways.

For example, attackers create a harmless program, the same game, place it in the Google Play store to show that it is verified, but then trick users into downloading almost identical versions of the application, but already malicious, and not from official software stores.

«”The scale of the operation is huge,” said Fyodor Yarochkin, a senior threat researcher at Trend Micro. According to him, many of the groups involved in the malware campaign appear to have ties to Chinese gray-market advertising and marketing firms. Human, Trend Micro, and Google also reportedly worked with the internet security group Shadow Server to neutralize as much of the Badbox 2.0 infrastructure as possible.

«As a consumer, you should remember that if the device is too cheap, you should be prepared for the fact that it may contain some additional “surprises,” says the expert. “There is no such thing as a free lunch.”