Human Security’s Satori research team has uncovered a new variant of the remote-controllable Badbox malware, with reports indicating that up to a million Android devices have been infected to create a massive botnet. The original Badbox outbreak was first identified in 2023 when off-brand Android-powered internet-connected TV devices were found to be contaminated with malware, participating in a large ad-fraud network known as Peachpit. At that time, around 74,000 devices were affected by the initial Badbox cluster.
The latest version, Badbox 2.0, targets devices running the base Android Open Source Project (AOSP), including cheap off-brand phones, more net-connected TV boxes, tablets designed for use in cars, and digital projectors. Gavin Reid, Chief Information Security Officer at Human Security, revealed that the creators of the botnet often spread the malware by tampering with the supply chain, purchasing inexpensive hardware, installing the malicious code either in firmware or in popular apps, rebranding the products, and then selling them to unsuspecting consumers.
Moreover, the researchers at Human Security have identified over 200 apps infected with malware linked to the botnet, all of which are hosted on third-party Android app stores. These malicious apps are often disguised as legitimate programs available on Google’s Play Store, luring users of third-party app stores to inadvertently download the compromised versions. Lindsay Kaye, Vice President of Threat Intelligence at Human Security, emphasized the complexity and scale of the Badbox 2.0 operation, highlighting the various types of devices targeted and the sophisticated nature of the fraud scheme.
The network botnet primarily monetizes with hidden ads that users do not see, alongside engaging in ad-click fraud. To evade detection, the operators of the botnet work diligently to conceal their fraudulent activities. Additionally, evidence suggests that the malware is capable of stealing passwords entered into infected devices, posing a significant risk to users’ sensitive information.
Although at its peak Badbox 2.0 infected nearly a million devices, the collaborative efforts of Human Security, Google, Trend Micro, and the Shadowserver Foundation have managed to reduce that number significantly. By identifying and shutting down command-and-control servers, monitoring suspicious Android traffic, and alerting companies to ad fraud originating from these devices, these organizations have made progress in mitigating the impact of the botnet.
While the infections appear to have been discovered early, experts believe that the criminals behind Badbox 2.0 may attempt to revive their network by altering their tactics. The possibility of a resurgence underscores the ongoing challenge of cybersecurity and the need for continued vigilance in combating malicious threats. Despite these challenges, the collaborative efforts of cybersecurity professionals and organizations offer hope in tackling and mitigating the impact of such cyber threats.