Security researchers have recently made a shocking discovery of a massive botnet consisting of 190,000 Android devices infected by the BadBox bot. The botnet includes a variety of devices, with a majority of them being Yandex 4K QLED Smart TVs and Hisense T963 smartphones. These findings have raised concerns about the widespread impact of this malware, particularly in countries like Russia, China, India, Belarus, Brazil, and Ukraine.
Bitsight, the research team that uncovered the BadBox botnet, sinkholed a domain associated with the malware and found over 160,000 unique IPs communicating with it within just 24 hours. This number continues to grow, indicating the scale of the infection. The telemetry gathered from the infected devices revealed that they send data to a command and control (C2) server upon booting up, waiting for further instructions.
One of the most alarming aspects of this discovery is the fact that well-known brands like Yandex and Hisense are among the devices infected by the BadBox bot. The communication volume between these devices and the C2 server is staggering, with more than 160,000 unique IPs connecting daily. This signifies a concerning trend in the evolution of malware targeting a wide range of internet-connected devices beyond the traditional smartphones and tablets.
In response to this threat, the Federal Office for Information Security (BSI) took action to block communication between 30,000 infected devices in Germany and the C2 server. These devices were all found to be using outdated versions of Android, making them vulnerable to such attacks. By sinkholing the botnet, authorities were able to redirect the traffic from the infected devices to a controlled server, preventing the malware from executing commands and stealing data.
The BadBox bot, once installed on devices, poses multiple risks to users. It can create email and messaging accounts for spreading disinformation, conduct ad fraud by accessing websites in the background, and operate as a residential proxy for criminal activities. Additionally, BadBox has the capability to download additional payloads, further increasing the threats posed to users.
Despite the efforts to neutralize the BadBox botnet, the operation had limited success in curbing its impact due to its global reach. The malware’s presence on devices shipped worldwide through compromised supply chains represents a significant challenge for cybersecurity professionals. The BSI’s call for internet providers to assist in sinkholing operations highlights the need for a coordinated response to such threats.
In conclusion, the BadBox botnet serves as a stark reminder of the evolving tactics used by cybercriminals to exploit vulnerabilities in internet-connected devices. While the current focus may be on devices in specific countries, the widespread nature of this malware should serve as a wakeup call for users worldwide to secure their devices and stay vigilant against emerging threats in the digital landscape.