The infamous botnet BADBOX has received a major upgrade. Malware version 2.0 now affects over one million consumer devices, phoning to China and waiting for attack instructions. This malware comes preinstalled with cheap, off-brand Android devices.
The new botnet version was uncovered by the Satori Threat Intelligence team at HUMAN Security.
Over one million consumer devices in 222 countries participate in the BADBOX 2.0 botnet. Brazil, the US, Mexico, Argentina, and Colombia are the most affected countries.
BADBOX malware comes preinstalled with smart TVs, TV sticks and other streamers, digital picture frames, media players, projectors, low-budget tablets, and other cheap Android devices manufactured in mainland China and shipped globally.
Like its predecessor, the 2.0 version is also driven by a backdoor that gives hackers access and privileges. When the infected device is first turned on, it contacts the command and control (C2) server and downloads a file. This sets up all the required components for persistence and communications, as well as additional payloads responsible for subsequent cyberattacks or fraud.
The hardcoded server addresses were a limitation that allowed authorities to take down the infrastructure and limit malicious connections to the home servers. Cybernews already reported that Germany blocked connections from 30,000 devices infected with BADBOX.
“A true takedown of this threat remains elusive, as the supply chain of compromised devices is still intact,” Satori researchers write in a report.
The infected devices rely on the Android Open Source Project and are not certified by Google Play Protect, Android’s built-in malware and unwanted software protection. However, the malicious apps can also be downloaded from third-party marketplaces.
“The BADBOX and BADBOX 2.0 threat actors exploit software or hardware supply chains or distribute seemingly benign applications that contain “loader” functionality in order to infect these devices and applications with the backdoor.”
What is BADBOX 2.0 used for?
Infected devices are part of a botnet exploited by at least four hacker groups. The botnet has already allowed the threat actors to launch at least four fraud schemes.
During ad frauds, the malware rendered ad units and launched hidden browser windows that navigated and performed actions on a collection of websites, such as game sites. The devices secretly clicked on ads on various low-quality domains, and hackers also sold access to the devices' IP addresses.
Hackers are also running proxy services, which enable other threat actors to route their traffic through infected Android TVs, phones, and other devices.
“Threat actors who purchase residential proxy access often use that access to conduct attacks of their own, as the IP address associated with the attack will be different from the address they’re actually operating from,” researchers said.
Other payloads made infected devices to programmatically create accounts in online services, and collect sensitive data.
However, hackers can push any functionality they want to the controlled devices. The researchers warn that the botnet may be abused for Malware distribution, distributed denial of service (DDoS) attacks, account takeovers, one-time password thefts, and other attacks.
Satori researchers identified four threat actor groups involved in BADBOX 2.0:
- SalesTracker Group: is responsible for the initial BADBOX operation. It staged and managed the C2 infrastructure for BADBOX 2.0.
- MoYu Group: developed the backdoor for BADBOX 2.0, coordinated the variants of that backdoor and the devices on which they would be installed, operated a botnet composed of a subset of BADBOX 2.0-infected devices, operated a click fraud campaign, and staged the capabilities to run a programmatic ad fraud campaign.
- Lemon Group: is connected to the residential proxy services created through the BADBOX operation and is connected to an ad fraud campaign across a network of HTML5 (H5) game websites using BADBOX 2.0-infected devices.
- LongTV: is a brand run by a Malaysian internet and media company that operates connected TV (CTV) devices and makes apps for them. Some of its apps are linked to ad fraud using an “evil twin” technique, where malicious apps are disguised as legitimate ones.
The BADBOX 2.0 version has new command and control servers and updated backdoors. Each group’s infrastructure operates semi-independently but shares access to the infected device botnet, enabling parallel fraud schemes.
The new operation was first observed in May 2024, when new C2 servers were observed distributing version 2.0 backdoor.
Collaborations with Google, Trend Micro, Shadowserver, and other human partners allowed for partial disruption of some operations and infrastructure.
“Google has taken action to prevent bad actors from attempting to monetize on its advertising platforms by terminating publisher accounts associated with BADBOX 2.0 from the Google Ad ecosystem,” the report reads.
However, these actions cannot dismantle the supply chain that constantly delivers new infected devices and spins new C2 servers.
Researchers urge users to check Play Protect certification on devices and avoid third-party app stores. Google Play Protect automatically warns users and blocks apps known to exhibit BADBOX 2.0-associated behavior at install time on certified Android devices with Google Play Services.
Your email address will not be published. Required fields are markedmarked