Android Devices With Backdoored Firmware Found In US Schools (securityweek.com) 36
An anonymous reader quotes a report from SecurityWeek: Tens of thousands of Android devices have been shipped to end-users with backdoored firmware, according to a warning from cybersecurity vendor Human Security. As part of the global cybercriminal operation called BadBox (PDF), Human Security found a threat actor relied on supply chain compromise to infect the firmware of more than 70,000 Android smartphones, CTV boxes, and tablet devices with the Triada malware. The infected devices come from at least one Chinese manufacturer but, before they are delivered to resellers, physical retail stores, and e-commerce warehouses, a backdoor was injected into their firmware. "Products known to contain the backdoor have been found on public school networks throughout the United States," Human says.
Discovered in 2016, Triada is a modular trojan residing in a device's RAM, relying on the Zygote process to hook all applications on Android, actively using root privileges to substitute system files. Over time, the malware went through various iterations and was found pre-installed on low-cost Android devices on at least two occasions. As part of the BadBox operation that Human Security discovered, the infected low-cost Android devices allow threat actors to carry out various ad-fraud schemes, including one named PeachPit, which at its peak relied on 121,000 Android and 159,000 iOS devices infected with malware, and on 39 Android, iOS, and CTV-centric apps designed to connect to a fake supply-side platform (SSP).
One of the modules delivered to the infected devices from the command-and-control (C&C) server allows the creation of WebViews that are fully hidden from the user, but which "are used to request, render, and click on ads, spoofing the ad requests to look like they're coming from certain apps, referred by certain websites, and rendered" on specific devices. BadBox, Human Security notes, also includes a residential proxy module that allows the threat actors to sell access to the victim's network. Furthermore, they can create WhatsApp messaging accounts and Gmail accounts they can then use for other malicious activities. "Finally, because of the backdoor's connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner's permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices' owners," Human notes.
Discovered in 2016, Triada is a modular trojan residing in a device's RAM, relying on the Zygote process to hook all applications on Android, actively using root privileges to substitute system files. Over time, the malware went through various iterations and was found pre-installed on low-cost Android devices on at least two occasions. As part of the BadBox operation that Human Security discovered, the infected low-cost Android devices allow threat actors to carry out various ad-fraud schemes, including one named PeachPit, which at its peak relied on 121,000 Android and 159,000 iOS devices infected with malware, and on 39 Android, iOS, and CTV-centric apps designed to connect to a fake supply-side platform (SSP).
One of the modules delivered to the infected devices from the command-and-control (C&C) server allows the creation of WebViews that are fully hidden from the user, but which "are used to request, render, and click on ads, spoofing the ad requests to look like they're coming from certain apps, referred by certain websites, and rendered" on specific devices. BadBox, Human Security notes, also includes a residential proxy module that allows the threat actors to sell access to the victim's network. Furthermore, they can create WhatsApp messaging accounts and Gmail accounts they can then use for other malicious activities. "Finally, because of the backdoor's connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner's permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices' owners," Human notes.
Really awful summary (Score:5, Informative)
TFS makes it sound like 159,000 iOS devices had their firmware backdoored, but that number is talking about Peachpit-enabled malware apps downloaded from the iOS app store. Precisely 0 iOS devices have been found with backdoored firmware.
Interested parties should probably read the actual PDF [humansecurity.com] from Human Security to get the correct information.
Re: Really awful summary (Score:4, Interesting)
Agreed! Thanks for posting the PDF.
What I found interesting is that Badbox affects only Android devices.
The other, the malware campaign, affects multiple devices, including iOS and is delivered through multiple app marketplaces.
But, it does not say it was delivered by Apple's official AppStore.
Perhaps, these iOS devices downloaded apps to jailbroken devices?
And, if that is case, does it bolsters Apple's argument NOT to open up their ecosystems to other, 3rd party, app stores?
Re: Really awful summary (Score:5, Interesting)
Apple has bet the farm on being the gatekeeper. So far, it has worked out surprisingly well. Not perfectly, but well enough to keep the iOS ecosystem remarkably clean, although stuff does get through (such as insecure cryptocurrency wallet apps).
The issue with Android is that without some form of gatekeeper, it isn't too tough to make apps that can exfiltrate a lot of data. This isn't the operating system's fault, but the fault of where apps come from. We have seen this in China with no-name Android app stores which function as a repository, but without doing any integrity checking, allowing anyone to throw up a .apk file, claim it is an app, and call it done. Often, Android asks for a lot of permissions all at once, so the user tends to just click "install", as opposed to the newer model of asking on first use.
The solution would be a dedicated, curated repository. However, having the manpower and equipment to not just vet apps, but keep abreast of how the bad guys obfuscate things is not cheap.
Re: Really awful summary (Score:4, Interesting)
Apple has bet the farm on being the gatekeeper. So far, it has worked out surprisingly well. Not perfectly, but well enough to keep the iOS ecosystem remarkably clean, although stuff does get through (such as insecure cryptocurrency wallet apps).
The issue with Android is that without some form of gatekeeper, it isn't too tough to make apps that can exfiltrate a lot of data. This isn't the operating system's fault, but the fault of where apps come from. We have seen this in China with no-name Android app stores which function as a repository, but without doing any integrity checking, allowing anyone to throw up a .apk file, claim it is an app, and call it done. Often, Android asks for a lot of permissions all at once, so the user tends to just click "install", as opposed to the newer model of asking on first use.
The solution would be a dedicated, curated repository. However, having the manpower and equipment to not just vet apps, but keep abreast of how the bad guys obfuscate things is not cheap.
It is the Operating System Publisher's (Google) fault; for not having exactly the same type of mandatory "App Curation" (Gatekeeper) Rules as Apple has with their Mobile OSes.
But in their mad Marketing push to appear more "Open", Google's real joke is on Android's Users.
And oh, BTW, Google certainly has enough cash in their war chest to change to a "Curated" App Store. "Cost" is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it's magically all paid for!
Re: Really awful summary (Score:4, Interesting)
What Google needs to do is have a multi-tier app store. Tier 1 is curated just as meticulously as Apple's is, perhaps with an upcharge for developers to use it. Tier 2 is what they have right now. From there, have devices default to only tier 1 at the start, with the user given the ability to go to tier 2, with a warning about one can't just walk into Mordor.
This is not revolutionary stuff. Red Hat, Debian, and Ubuntu do a great job at keeping their ecosystems clean.
Re: (Score:2)
What Google needs to do is have a multi-tier app store. Tier 1 is curated just as meticulously as Apple's is, perhaps with an upcharge for developers to use it. Tier 2 is what they have right now. From there, have devices default to only tier 1 at the start, with the user given the ability to go to tier 2, with a warning about one can't just walk into Mordor.
This is not revolutionary stuff. Red Hat, Debian, and Ubuntu do a great job at keeping their ecosystems clean.
Not revolutionary stuff; which only underscores just how little Google cares about its Vict. . . er, Users.
Re: Really awful summary (Score:4, Informative)
More to the point, low cost handset manufacturers are a trivial vector for hacked firmware. No amount of operating system vetting or App Store curation is going to fix physical access to phones that nobody pays enough to care about. You're not hearing about this on Samsung or Pixel phones. It's not impossible, but they've got somewhat tighter supply chains, as does Apple.
Re: (Score:2)
More to the point, low cost handset manufacturers are a trivial vector for hacked firmware. No amount of operating system vetting or App Store curation is going to fix physical access to phones that nobody pays enough to care about. You're not hearing about this on Samsung or Pixel phones. It's not impossible, but they've got somewhat tighter supply chains, as does Apple.
That's a flimsy excuse.
I agree that, in this particular case, it appears that an evil middleman in the OEMs' supply chains was involved; but there have been far too many infections of Android devices (including "premium" brands) by malicious, poorly-vetted Android Apps, to blame just the Budget Device OEMs.
Re: (Score:2)
It is the Operating System Publisher's (Google) fault; for not having exactly the same type of mandatory "App Curation" (Gatekeeper) Rules as Apple has with their Mobile OSes.
Nope. It's the end-user's fault for installing random shit on their personal "my entire life is on here" all purpose spying device without a care in the world. No device can keep you safe in that case. Not even Apple, but these same idiots will happily champion Apple being responsible for them. (Because why should they have to do anything?)
And oh, BTW, Google certainly has enough cash in their war chest to change to a "Curated" App Store. "Cost" is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it's magically all paid for!
Funny how someone else assuming responsibility over you and paying for your protection is considered "secure" in a country where big government is constantly feared and
Re: (Score:2)
It is the Operating System Publisher's (Google) fault; for not having exactly the same type of mandatory "App Curation" (Gatekeeper) Rules as Apple has with their Mobile OSes.
Nope. It's the end-user's fault for installing random shit on their personal "my entire life is on here" all purpose spying device without a care in the world. No device can keep you safe in that case. Not even Apple, but these same idiots will happily champion Apple being responsible for them. (Because why should they have to do anything?)
And oh, BTW, Google certainly has enough cash in their war chest to change to a "Curated" App Store. "Cost" is a very poor excuse; and just underlines that Google cares more about Profits than People. Besides, all they have to do is increase their Developer Fees just a teeny bit, and it's magically all paid for!
Funny how someone else assuming responsibility over you and paying for your protection is considered "secure" in a country where big government is constantly feared and taxes are always considered too high.
Oh? It's because Apple is a faceless unassailable corporation capable of virtually killing you and accountable only to it's shareholders, while the fed is a faceless unassailable government capable of physically killing you and accountable only to it's campaign contributors, with both constantly engaging in revolving door politics with each other? I see....that's completely different. /s
Ah, there it is!
I was wondering when the Android Shills would show up!
Two words: You're wrong.
Re: (Score:1)
Another shithead for whom Apple can do no wrong. Quit gargling Tim Cook's balls for fuck's sake.
Re: (Score:2)
I was wondering when the Android Shills would show up!
This is a story about Android. Why did you think Android "shills" wouldn't be here?
Two words: You're wrong.
Two words: Citation Needed.
Re: (Score:2)
Holy shit. And apple isn't all about profits. They intentionally slow down their phones and make repairs almost impossible to keep their profits high. Only reason they get away with it is their user are tech illiterate.
Four Decades as an Embedded Developer (both hardware and software) here. So, try again.
Re: (Score:2)
Citation required.
I've got your Citation right here.
Re: (Score:2)
Agreed! Thanks for posting the PDF.
What I found interesting is that Badbox affects only Android devices.
The other, the malware campaign, affects multiple devices, including iOS and is delivered through multiple app marketplaces.
But, it does not say it was delivered by Apple's official AppStore.
Perhaps, these iOS devices downloaded apps to jailbroken devices?
And, if that is case, does it bolsters Apple's argument NOT to open up their ecosystems to other, 3rd party, app stores?
Yes. Yes it does.
Oh no (Score:1)
Backdoored at school? Not the first time that's happened, is it?
hacking phones at your local miidle school (Score:2)
Download all their memes for fun and profit!
It is all that serious that students are bringing in their own compromised devices on campus? If the school district's IT is letting students use WiFi that has a route into more sensitive parts of the network, well that's not the fault of the malware that's an infrastructure problem.
re: android and gmail (Score:3)
How was Google's GMail not the first to discover this? Surely 150000 devices sending and receiving the same messages would trigger at least a Google Play Store policy bypass.
Data Security (Score:2)
Is the responsibility of the end-user (or the organization) - not Google or Apple.
It is not Google or Apple's responsibility to keep bad actor apps and such off your devices once it's been shipped from the factory. It's not theirs anymore, its yours. IT dept ordering hundreds or thousands of devices? Great, but that IT dept better check each device before it gets setup with an employee or student. Neither app store is perfect at blocking them, and yes Google is worse at it, but it doesn't really matter beca
Re: (Score:2)
Re: (Score:2)
The OS does not need to be open source or user modifiable for the users to still be responsible for basic data security. It being open source and user modifiable doesn't prevent this firmware injection at the supply chain. Nor does it prevent malicious apps. It may help in closing the holes that are abused, but that doesn't prevent other malware that doesn't need those. The end-user or organization should be knowledgeable enough to check/flash their firmware, not install shady apps, and run actual security
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Ok, I don't know what happened here and why your thoughts ended up taking 4 posts. None of what you said is relevant or related to anything I said or the topic at hand. In fact, I'm not even sure you actually said anything at all.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Ok, and you are still speaking in a generic way that applies to nothing here.
Re: (Score:2)
Re: (Score:2)
In Secret China Bunker (Score:3)
CCP party people talk about the wealth of information they gain from US schools.
When Chinese students exposed to that "wealth of information" they all rebel against CCP and start following K-POP bands on social media.
CCP party people ask "What did we do wrong? Copy from America should be good thing, right?"