BADBOX Botnet Rises Again: 192,000+ Android Devices Compromised

by do son · December 18, 2024

The BADBOX botnet is back and more dangerous than ever. Originally thought to have been dismantled, this cybercriminal operation has not only resurfaced but expanded, compromising over 192,000 Android-based devices globally. Bitsight Security Research’s latest report reveals alarming details about the botnet’s resurgence and its growing sophistication.

BADBOX is a large-scale malware operation that compromises Android devices, including TV boxes, smartphones, and now high-end smart TVs, directly at the supply chain level. This means that devices are infected with malware before reaching the hands of consumers, often through tampered firmware or preinstalled applications.

As Bitsight explains, “These devices fall victim to a complex criminal scheme, where they are either tampered with during the supply chain or sold by the manufacturer with the ability to install APKs without the user’s consent.”

From an estimated 74,000 devices at its peak, the botnet has expanded to over 192,000 infected devices globally, with telemetry showing the numbers steadily increasing. Unlike previous campaigns that primarily targeted low-cost, off-brand devices, BADBOX has expanded its reach to include premium devices such as the Yandex 4K QLED Smart TV and the Hisense Instawall T963 smartphone. The highest concentration of infected devices has been observed in Russia, China, India, Belarus, Brazil, and Ukraine, with residual activity in countries like the United States and France.

BADBOX malware leverages its presence in device firmware to perform malicious activities, including:

Residential Proxying: Using compromised devices as proxy endpoints.
Remote Code Installation: Allowing threat actors to deploy new malware modules without user consent.
Ad Fraud and Account Abuse: Exploiting infected devices for fraudulent activities.

The malware immediately connects to a command-and-control (C2) server upon booting, enabling it to download and execute new payloads. Bitsight’s report highlights, “Entirely new payloads could be constructed by the threat actors, downloaded and executed, to perform new schemes beyond what we have visibility as of now.”

BADBOX infections highlight the risks associated with compromised supply chains. Bitsight notes that infection methods include both intentional modifications by manufacturers and tampering during the development or shipping phases. These practices make detection extremely challenging for consumers and enterprises alike.

The report uncovered communications between Yandex 4K QLED Smart TVs and a BADBOX C2 domain (coslogdydy[.]in). “It’s the first time a major brand Smart TV is seen directly communicating at such volume with a BADBOX command and control (C2) domain,” researchers wrote. Over 100,000 unique IPs from Yandex devices were detected within a single day.

While some countries, such as Germany, have made strides in disrupting the botnet—recently affecting 30,000 devices—the global spread of BADBOX remains a significant challenge. Bitsight researchers were able to sinkhole a BADBOX domain, capturing over 160,000 unique IP addresses in just 24 hours, underscoring the botnet’s vast scale.

Bitsight warns, “Not only is your data at risk, you might also be used for profit and cover of malicious operations.”