Badbox Operation Targets Android Devices in Fraud Schemes

Researchers believe that more than 70,000 Android devices may have been affected with preloaded Peachpit malware that was installed on the electronics before being sold at market.

After a researcher discovered that an Android-based TV streaming box, known as T95, was infected with preloaded malware, researchers at Human Security released information regarding the extent of infected devices and how malicious schemes are connected to these corrupted products.
Daniel Milisic, a systems security consultant, created a script alongside instructions to help other users mitigate the threat after first coming across the issue. Now, Human Securitys threat intelligence and research team has dubbed the operation Badbox, which it characterizes as a complex, interconnected series of ad fraud schemes on a massive scale.
Human Security describes the operation as a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain. Once activated, the malware on the devices connect to a command-and-control (C2) server for further instructions. In tandem, a botnet known as Peachpit is integrated with Badbox, and engages in ad fraud, residential proxy services, fake email/messaging accounts, and unauthorized remote code installation.
According to the researchers at Human Security, 200 different models of
Android devices are potentially affected
, and at least 74,000
Android devices
globally are potentially impacted by the Badbox infection. Eight different types of devices have backdoors installed: seven Android-based TV boxes — T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G — and an Android tablet, J5-W. The devices are
made in China
and somewhere along their supply chain, a firmware backdoor gets implemented on the devices.
The infected devices are from the Android Open Source Project (AOSP), meaning that anyone can modify the code, according to a Google spokesperson; they are not built on the official
Android TV
operating system for smart TVs and streaming devices, which is proprietary and open only to Google and its licensed partners for code modification. The off-brand devices discovered to be BADBOX-infected were not
Play Protect certified Android devices
. If a device isnt Play Protect certified, Google doesnt have a record of security and compatibility test results.
Googles spokesperson adds, Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our
Android TV website
provides the most up-to-date list of partners. You can also take
these steps
to check if your device is Play Protect certified.
Human Security recommends that users avoid off-brand devices and be wary of clone apps that could potentially infect their device. In addition, users should consider restoring factory settings if a device is behaving oddly.
While the disruption of Bandbox is a victory for the cybersecurity community, research must continue into the supply chain that allowed the threat to develop in the first place, Human Security said
in its report
, and added that other threat actors are poised to fill the vacuum.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Badbox Operation Targets Android Devices in Fraud Schemes