Badbox 2.0: One million infected devices in the botnet

The masterminds behind the Badbox botnet have adapted their activities and created the Badbox 2.0 botnet – with more than one million infected devices. The original Badbox malware had infected tens of thousands of Internet-of-Things devices with AOSP-based firmware (Android Open-Source Project) at the end of last year. In December, the BSI paralyzed the communication of 30,000 drones in Germany.

Humansecurity reports in a blog post that the Badbox 2.0 network has now also been disrupted, at least in part. This was achieved in collaboration between Humansecurity, Google, Trend Micro, Shadowserver and other parties. Like its predecessor Badbox, Badbox 2.0 primarily attacks cheap end-user devices. More than one million unbranded, non-certified connected TV boxes (CTV), tablets, digital projectors and other devices with AOSP-based firmware are affected. However, devices protected with Play Protect or those with Android TV OS are not among them.

Origin of the devices: China

All devices were produced in China and shipped globally, the IT researchers explain. They have observed Badbox 2.0 traffic from 222 countries and regions. The malware is most widespread in Brazil (37.62%), the USA (18.21%) and Mexico (6.32%). Following the BSI's disruptive action against the original Badbox botnet in December, the researchers no longer show a significant proportion for Germany.

Google has taken several measures to disrupt the Badbox 2.0 infrastructure or take it offline as far as possible. Google Play Protect warns against the installation of apps that are known to exhibit badbox-related behavior. By default, this protection is activated on devices with Google Play Services and also warns against apps that are downloaded and installed outside the Google Play Store. Owners of Android devices should therefore activate Google Play Protect. Google has also deactivated publisher accounts in the Google advertising ecosystem that are associated with Badbox 2.0. The company advises users to check whether their devices are Google Play Protect-certified. Google also provides instructions on how to do this.

The malicious functions remain largely identical to the original Badbox: The botnet drones serve as so-called residential proxies, allowing criminals to disguise their origin and use the infected devices as VPN endpoints. They also engage in advertising and click fraud by invisibly surfing websites in the background and displaying advertisements on them, some of which are clicked on automatically. Technically, however, the infected devices are not limited to this, but can perform other functions, as the drones can reload APKs and execute other malicious code. In the blog post, the IT researchers go into more detail about these malicious functions and also provide indications of infections (Indicators of Compromise, IOCs). For example, they list the names of factory-infected devices and URLs of command and control (C2) servers.

Android TV boxes appear to be a popular vehicle for criminals. Last September, the antivirus manufacturer Dr. Web detected the malware “Vo1d” on such devices. The malware was discovered on around 1.3 million Android TV boxes.

(dmk)