Despite multiple take-down attempts, millions of consumer Android devices are running BadBox 2.0 malware, which comes preinstalled on cheap off-brand devices produced in China. The FBI wants you to check your gadgets for any suspicious activity.
Cybercriminals can now hide behind millions of compromised Android devices when hacking unsuspecting victims.
The Federal Bureau of Investigation (FBI) has issued a warning about cybercriminals exploiting hordes of IoT (Internet of Things) devices connected to home networks, using the BadBox 2.0 botnet.
“The BadBox 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cybercriminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity,” the announcement reads.
Users purchase devices already preinstalled with BadBox. This malware strain comes with cheap smart TVs, streamers, digital picture frames, media players, projectors, low-budget tablets, aftermarket vehicle infotainment systems, and other off-brand Android devices manufactured in mainland China and shipped globally.
When such a device is connected to the home network, cybercriminals gain unauthorized access. Backdoors allow the downloading of additional malicious software packages.
“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BadBox 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI warns.
Residential proxy service means that hackers will route their traffic through the infected devices, which act as a middleman for illegal content streaming, ad fraud, dangerous cyberattacks, and other criminal activities. Hackers can also target the same user who owns the device.
Authorities have tried to tame BadBox before. They effectively neutralized the first strain, identified in 2023, by a technique known as sinkholing. Internet service providers act as a floodgate, keeping the infected devices from connecting to the known malicious infrastructure.
Sinkholing efforts for the BadBox 2.0 strain in recent days quadrupled from 500,000 to 2.2 million IP addresses, according to the data by Shadowserver Foundation. A sudden increase in sinkholed IPs signals another significant takedown operation.
Over 146,000 compromised IPs are in the US. Most of the infected and sinkholed devices are still in use in Brazil (864,000).
How to recognize a BadBox-infected device?
FBI urges users to evaluate IoT devices in their homes for any indications of compromise and “consider disconnecting suspicious devices from their networks.”
BADBOX 2.0 botnet activity includes the following indicators:
- The presence of suspicious marketplaces where apps are downloaded.
- Requiring Google Play Protect settings to be disabled.
- Generic TV streaming devices are advertised as unlocked or capable of accessing free content.
- IoT devices are advertised by unrecognizable brands.
- Android devices are not Play Protect certified.
- Unexplained or suspicious Internet traffic.
The FBI recommends monitoring home networks' Internet traffic, assessing all IoT devices connected to home networks for suspicious activities, and keeping them up to date.
“Avoid downloading apps from unofficial marketplaces advertising free streaming content,” the announcement reads.
However, if a device is infected with BadBox, removing the malware is difficult and requires a complicated firmware reflash. Consider replacing it instead.
Your email address will not be published. Required fields are markedmarked