A record five million devices, mostly Android TV boxes, are running malware that can no longer call back to hackers after authorities cut off their controllers. However, the devices are still dangerous, and owners should replace them.
Shadowserver Foundation, a UK government-funded internet security platform, tracks around five million IP addresses “sinkholed” every day. Just weeks ago, the number was closer to 2.5 million, representing a two-fold jump since the beginning of March.
Sinkholing is a technique where malicious servers are taken over, or connections are redirected to a benign listener, preventing bots from communicating with their operators. Shadowserver tracks the numbers across 400 different malware family variants.
Only a few malware strains dominate the list.
Most infected devices are part of the Android-based Vo1d malware family. Over 2.4 million of these bots are currently disconnected from their masters, an increase of almost two million since the beginning of March.
Similar malware, BadBox, which comes preinstalled with cheap off-brand Android devices manufactured in China, was partially disrupted in January. Over 500,000 Badbox-infected devices have been sinkholed since then.
These two new sources caused the spike in the sinkholing data.
More than eight years have passed since authorities took down the Avalanche and later Andromeda botnets, but one million computers are still running this malware.
At one time, the Avalanche cybercrime network was responsible for two-thirds of all phishing attacks. It employed domain generation algorithms, and authorities had to block and sinkhole over 848,000 domains used for malware control.
Over 150,000 systems are running the M0yv remote access trojan, which is used as a dropper for additional packages.
Some other notable “sinkholed” threats include nearly 100,000 systems infected with SOCKS5 proxy malware “Socks5Systemz.” This turns infected computers into proxies for hackers to hide their malicious activity. Over 74,000 devices are affected by adware AdLoad.
Banking trojans Tinba and Nymaim each affect around 15,000 devices but can no longer phone back to their controllers, Shadowserver data reveals.
Each day, the infected devices make over 600 million attempts to connect to the sinkholed servers. Each device tries to reach a command and control (C2) server an average of 120 times.
While the malware might seem to be on a leash, Cybernews security researchers warn that the risk for owners is still critically high.
Sinkholing is a band-aid solution and doesn’t protect the owners
Aras Nazarovas, Information Security Researcher at Cybernews.com, warns the owners of the five million infected devices: you’re still at risk.
Even if the connection to the original botnet is severed, the infected devices can run other malicious packages previously delivered by the same threats and connect to servers that are still online.
“To create a sinkhole, you don't need to take down the command-and-control infrastructure. It can be done by identifying it and then rerouting traffic via DNS address resolution on the ISP (internet service provider) or organization level,” Nazarovas explains.
The five million tracked sinkholed devices are not necessarily dangerous, as they can’t reach the hackers anymore. However, no one can be certain.
Nazarovas noted that the majority of infected devices are off-brand Android TV boxes and other similar cheap devices that Google Play Protect does not protect.
“The manufacturer-compromised devices already come with malicious packages installed, and often these devices are ‘rooted’ and may contain additional firmware/OS tweaks and vulnerabilities. Therefore, it can get tricky to identify all the possible backdoors,” Nazarovas said.
“Removing shady apps or packages won’t be enough in this case to guarantee a safe device operation. Their firmware needs to be reflashed with the secure one, or, if that’s not possible, the devices should be recycled.”
Reflashing a non-compromised firmware version can be very complicated for the average end user, especially on off-brand devices without support.
All the infected devices will run unnecessary CPU cycles, which could introduce lag.
“ISPs in a lot of countries may contact you if they detect malicious traffic coming from your internet connection and might even threaten to cut service until you remove the threat,” Nazarovas said.
Sinkkholing also isn’t bulletproof, as it relies on international cooperation and multiple intermediaries.
“Your device may rejoin the botnet if the sinkhole operator makes a mistake or there are additional backdoors installed.
Which countries have the most infected devices?
According to the Shadowserver data, Brazil leads in the number of sinkholed IPs and has over 800,000 devices that can’t reach C2 servers. India is next, with 742,000 devices, followed by South Africa (244,000), Indonesia (230,000), Argentina (108,000), and Pakistan (105,000).
In the US, 82,000 devices run malware with severed connections to its C2 servers.
In Europe, 32,000 IPs were registered in France, 20,000 – in Spain, 18,000 – in Germany, 13,000 – in the UK, and thousands more in other countries.
Security researchers have been tracking the Vo1d botnet since last September. An investigation by Xlab has revealed that the updated botnet has infected over 1.6 million Android TV devices across 226 countries, making it 100 times larger than the Cloudflare reported record-breaking DDoS attack. The first version of the Vo1d botnet was discovered last year by Russian security firm Dr. Web on over 1.3 million devices.
The second version significantly enhances stealth, resilience, and anti-detection capabilities, including encryption, redirector servers, and others.
“Both Vo1d and Badbox abuse advertisement networks to farm ad revenue via fake clicks, so it is possible they are related, but could also be competing botnets,” Nazarovas noted.
Bot botnets are also leasing out access to a massive infrastructure to cybercrime groups, which then perform DDoS or other cyberattacks.
New set-top TV boxes arriving from Chinese manufacturers will likely have updated malware and C2 servers.
Xlab researchers found that some million-scale botnets targeting Android TVs share string decryption algorithms, and the overlap “is unlikely to be a mere coincidence.”
“Some device manufacturers have ties to illicit actors, pre-installing malicious components at the factory level. As shipment volumes grow, so does the infection scale, culminating in the jaw-dropping botnets we see today,” Xlab said.
The researchers also warned that users harbor misconceptions about the security of TV boxes, deeming them safer than smartphones. This is not true.
The widespread piracy practice of downloading cracked apps, third-party software, or flashing unofficial firmware “greatly increases device exposure, creating fertile ground for malware proliferation.”
Your email address will not be published. Required fields are markedmarked