Home News Rising Threat: Android Devices Shipped with Preinstalled Malware

Rising Threat: Android Devices Shipped with Preinstalled Malware

In a recent revelation, a significant number of Android devices, particularly streaming boxes, have been found to be shipped with preinstalled malware. This alarming discovery has raised concerns about the security of devices right out of the box.

Key Highlights:

  • T95 and similar knockoff streaming boxes are the primary culprits.
  • Two main trojans identified: BadBox and PeachPit.
  • BadBox has affected over 74,000 Android devices globally.
  • The malware operates through firmware backdoors installed via the regular hardware supply chain.
  • PeachPit serves ads for low-quality apps that further infect devices.
  • The cybercriminal operation, named BadBox by Human Security, is intricate and has a global reach.

The Depth of the Issue:

The issue came to light when it was discovered that if you’ve purchased a T95 or a similar knockoff streaming box running Android, there’s a high likelihood that your unit was shipped with preinstalled malware. But this isn’t just any malware. The devices are potentially infected with two different trojans: BadBox and PeachPit. Both are highly malicious and have been causing havoc in the digital realm.

BadBox, in particular, has spread its tentacles far and wide, affecting over 74,000 Android devices across the world. It isn’t just another malware but a complex interconnected series of fraud schemes. At its core, BadBox is a collection of firmware backdoors installed through the regular hardware supply chain. Once these devices are activated and connected to a network, they instantly link to a command-and-control server, receiving further malicious instructions.

PeachPit, on the other hand, is the ad fraud component of BadBox. It immediately starts serving ads for low-quality apps. When unsuspecting users install these apps, their devices get infected with more malicious code.

The Global Spread:

The cybercriminal operation, dubbed “BadBox” by Human Security, is not just sophisticated but has a global footprint. The malware doesn’t limit itself to the T95 devices. It has spread to other set-top boxes, including T95Z, T95Max, X88, Q9, X12Plus, and MXQ Pro 5G. Additionally, an Android tablet named J5W has also been affected.

These T95 and knockoff boxes, often priced below $50, are tempting for many users. Their affordability, combined with the lack of branding or various names under which they are sold, makes them prevalent in online retail spaces.

Protecting Yourself:

The solution might seem straightforward: avoid buying knockoff set-top boxes or devices. However, the real challenge lies in identifying these knockoffs, especially when shopping online. It’s crucial to research the brand or device name before making a purchase. If there’s a lack of information or if the available information doesn’t vouch for the brand’s legitimacy, it’s best to steer clear.

Another protective measure is to avoid clicking on ads, especially those with typos, unfamiliar brand names, or offers that seem too good to be true. Google has taken steps by removing the malicious apps from the Google Play Store, but the BadBox vulnerability remains a threat. The best defense is to be cautious about purchasing hardware and installing only essential apps.


The discovery of preinstalled malware on Android devices, especially streaming boxes, has raised significant security concerns. With trojans like BadBox and PeachPit in play, the threat is real and global. While protective measures are available, the onus is on users to be vigilant and make informed choices to safeguard their devices.