I’m not one to mince words or make you wait for the payoff, so I’ll get right to the point.
If you’ve purchased a T95 (or similar knockoff) streaming box that runs Android, chances are that your unit was shipped with pre-installed malware. But this isn’t your ordinary piece of malware. Instead, we’re looking at the possibility of two different Trojans: Badbox and Peachpit, both of which are pretty nasty bits of code.
Also: Android 14 may have quietly fixed two major issues on the Google Pixel 6 and 7
One only needs to look at the extent of Badbox’s spread, which has hit over 74,000 Android devices worldwide. But Badbox isn’t just your average malware. Instead, we’re looking at a rather complex, interconnected series of fraud schemes.
Essentially, Badbox is a collection of firmware back doors that are installed via the regular hardware supply chain. Those devices get distributed into homes. Once booted and connected to a network, those devices immediately connect to what’s called a command-and-control server, where they then receive their instructions.
Badbox works with ad fraud, residential proxy services, fake email and messaging accounts, and the installation of malicious code. Peachpit is the ad fraud component of Badbox and can immediately start serving up ads for low-quality apps that, upon installation, will infect your devices with malicious code.
This sort of attack has been around for years but they’ve grown more and more sophisticated. This time around, the cybercriminal operation (dubbed Badbox by Human Security) was discovered to be quite complex and global.
Also: Google just fixed the Pixel’s big biometric security problem, but don’t get too excited
To make matters worse, Human Security discovered Badbox goes beyond the T95 devices to include seven different set-top boxes (T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G) as well as an Android tablet (the J5-W). These T95 (and knockoff) boxes are inexpensive, costing less than $50, so they can be attractive options for many users. The boxes are often either unbranded or sold under various names (which is a rampant phenomenon found in many online retailers).
Back in January, the first instance of a set-top box shopping with this pre-installed malware was reported. According to that report, the device (called the AllWinner T616 processor) used an Android 10 ROM and, once up and running, would attempt to connect to IP addresses associated with active malware.
With Badbox, over 200 different models of Android devices could be affected.
What can you do?
The solution to this is pretty simple: Don’t buy knockoff set-top boxes or devices. That sounds pretty simple but, in reality, it’s not so easy. When shopping on Amazon, you’ll find a never-ending stream of good deals. When you come across one of those deals that appeals to you, the first thing you should do is research the brand device name.
If you’re looking at a device with a name like AllWinner, look it up. If you can’t find any information on the company, avoid it. If you find information from a reliable source that indicates the brand is both legit and trustworthy, you can continue considering the purchase. Otherwise, don’t even bother putting that item in your shopping cart.
Also: How to use Norton’s free AI-powered scam detector
Another thing you can do (which should apply to every aspect of your online usage) is to not click on ads… especially those that include typos, unfamiliar brand names, or offer services that sound too good to be true.
As a rule, I tend to never click on ads and I would suggest you follow suit.
The good news is that Google has confirmed the malicious apps have been removed from the Google Play Store. That doesn’t mean, however, that the Badbox vulnerability isn’t still at large. But if you avoid purchasing knock-off or cheap hardware devices and install only the apps you must have on your phones and tablets, you’ll have a better chance of avoiding such issues.