The BADBOX botnet, a sophisticated cybercriminal operation, has compromised approximately 74,000 devices, including Android TV boxes, smartphones, and other electronics.
This malware is pre-installed on devices before they even reach consumers, making it a particularly insidious threat.
BADBOX is not just another piece of malware; it’s a backdoor, bot, and proxy all rolled into one, primarily targeting Android operating systems on mobile phones, smartphones, tablets, and CTV boxes.
According to BitSight analysis, Once an infected device is powered on, it immediately connects to a Command and Control (C2) server, allowing attackers to access the local network, intercept two-factor authentication secrets, and install additional malware.
The infection process is believed to occur either during the manufacturing stage or through a supply chain attack, where the malware is embedded in the device firmware.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
This makes the removal of BADBOX exceptionally challenging, as it resides on a non-writable partition of the firmware.
BADBOX Botnet Infected 192,000 Devices
Initially thought to be contained, BADBOX has shown resilience and growth. Recent telemetry data indicates that over 192,000 devices are now infected, with 160,000 of these belonging to unique models not previously seen, including high-end devices like the Yandex 4K QLED Smart TV and the T963 Hisense Smartphone.
Notably, high-end devices like the Yandex 4K QLED Smart TV and T963 Hisense Smartphone have also fallen victim, suggesting that the issue extends beyond just low-cost, off-brand electronics
The top affected countries include Russia, China, India, Belarus, Brazil, and Ukraine, highlighting the global reach of this botnet.
BADBOX is a firmware backdoor akin to the Triada malware family, which allows attackers to gain unauthorized access to devices. Upon booting, infected devices attempt to connect to a command-and-control (C2) server to receive instructions. This malware can perform a range of malicious activities:
- Residential Proxying: Using compromised devices as exit points for internet traffic, often for illegal activities.
- Remote Code Installation: Downloading and executing additional malicious code without user consent.
- Account Abuse: Creating fake email and messaging accounts to spread misinformation or conduct fraud.
- Ad Fraud: Generating revenue through fake ad impressions and clicks
BADBOX’s capabilities extend beyond simple data theft. It can engage in residential proxying, where compromised devices are used as exit points for other malicious activities, remote code installation, account abuse, and ad fraud.
The infection occurs either during manufacturing or through the supply chain, making it nearly impossible for consumers to detect the threat before purchase. Devices are sold through reputable retailers like Amazon, eBay, and AliExpress, further complicating the issue. Despite efforts to curb its spread, BADBOX remains active.
German authorities recently disrupted a botnet of 30,000 devices infected with BADBOX, but this action was geographically limited and did not significantly impact the overall telemetry.
This indicates that BADBOX continues to evolve and expand, with new infrastructure being uncovered by security researchers.
The German Federal Office for Information Security (BSI) has warned consumers about the dangers of outdated firmware and pre-installed malware.
They emphasize the shared responsibility between manufacturers, retailers, and consumers to ensure device security.
Consumers are advised to consider cybersecurity when purchasing devices, while manufacturers and retailers must ensure that products are free from such threats before they reach the market.
The BADBOX botnet’s ability to infect devices at the firmware level before they even reach consumers underscores a significant vulnerability in the supply chain of Android devices.
With its growing scale and the potential for further malicious activities, BADBOX represents a clear and present danger to digital security worldwide.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free