Android TV Boxes Infected with Backdoors, Compromising Home Networks

The Android TV box you recently purchased may be riddled with harmful backdoors.

A new report from the cybersecurity firm Human Security confirms the presence of two backdoors, Badbox and Peachpit, in popular and widely used Android TV boxes.


  • Cybersecurity Firm Human Security has discovered malware on dozens of streaming devices and iOS/Android apps.
  • A huge number of Android TV boxes contain malware capable of conducting ad fraud, creating fake accounts, and selling access to home networks.
  • Researchers found that the malware they have dubbed Badbox is not only tricky to detect but difficult to remove as well.
  • Android TV box users must prefer installing apps from reliable sources and keep their devices up-to-date.
  • Human Security has already shared details of its findings with concerned law enforcement agencies.

In a report published by Human Security’s Satori Threat Intelligence and Research Team on October 4th, 2023, there are signs that 200 different models of Android TV boxes might be containing malware, indicating an organized network of ad fraud behind it.

Researchers analyzed seven Android TV boxes and one tablet and found backdoors installed in all of them. Here are the tested models:








MXQ Pro 5G

Of the devices HUMAN acquired from online retailers, 80 percent were infected with BADBOX, demonstrating how widely they were circulating in the market.

It is worth noting that, T95 is a known TV Box for carrying pre-installed malware. In January 2023, Canadian infrastructure and security systems consultant, Daniel Milisic discovered malware on the T95 TV Box which he bought through Amazon.

In February 2023, Malwarebytes researchers confirmed that there are pre-installed malware on this particular TV Box. However, to this date, Amazon continues to sell the malicious T95 TV Box.

Android TV Boxes Infected with Backdoors, Compromising Home Networks
Malicious T95 TV Boxes ready to be shipped through Amazon (Screenshot:

According to Human Security’s CISO Gavin Reid, the network resembles a “Swiss Army knife of doing bad things on the internet.” Gavin told Wired that this is a well-organized fraud.

For your information, these boxes use Android Open Source Project (AOSP) instead of Google-certified Google TV or Android TV, such as Nvidia Shield or Chromecast. The issue occurs due to AOSP’s open access.

In their blog post, researchers noted that Badbox comes preloaded on Android TV devices made in China before being dispatched to resellers. After the devices are plugged in, the malware connects with a C2 server in China.

Further, it fetches a set of instructions that informs it about the malicious activities it has to perform on the device. These include ad fraud, creating fake WhatsApp and Gmail accounts, selling access to home networks, and installing remote code.

Badbox backdoor helps install infected apps on devices. It modifies a component of the Android OS, forcing it to execute code and access apps installed on the device. While researching, Human Security found different types of fraud associated with the infected devices, including residential proxy services and advertising fraud, and noticed that the group behind this campaign is selling access to home networks.

“The extent of BADBOX’s spread and impact is massive. HUMAN’s Satori team observed at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes worldwide showing signs of BADBOX infection.”

Human Security

According to their technical report (PDF), Human Security focused on another malware called PEACHPIT, Badbox’s ad fraud component that can launch spoofed web traffic, hidden ads, and malvertising on Android and iOS devices and apps.

Android TV Boxes Infected with Backdoors, Compromising Home Networks
Imported library managing ad rendering (Screenshot: Human Security)

Peachpit malware is less harmful than Badbox, though. Researchers identified 39 iOS, Android, and TV box apps containing Peachpit. It is worth noting that Peachpit malware can operate on Android and iOS devices both, whereas Badbox targets Android devices only.

Peachpit is a collection of 39 Android, iOS, and CTV-centric apps, each containing a hardcoded connection to a fake SSP (supply-side platform), which adds a piece of JavaScript code into the app’s WebView to obtain details of the device the app is running on before launching the ad.

“PEACHPIT reached a peak of 121,000 infected Android devices and 159,000 infected iOS devices. These devices accounted for an average of 4 billion ad requests a day. No iOS devices were themselves impacted by the BADBOX backdoor; they were targeted only by PEACHPIT apps available for download from many major app marketplaces.”

Human Security

People looking for low-cost streaming devices and TV boxes usually turn to Chinese manufacturers. However, time and again, it has been proven that Chinese Android TV boxes typically come infected with malware.

  1. Amazon Still Selling T95 TV Box with Pre-Installed Malware
  2. Hundreds of Android devices shipped with pre-installed malware
  3. Malware Duo pre-installed on thousands of cheap Android phones
  4. Smart TVs make screenshots every second & send them to the server
  5. Samsung asks users to scan their Smart TVs for malware – Here’s how to
Related Posts