Badbox is back. Partially eliminated by the police last year, the botnet has managed to take control of a million Android devices around the world. A coalition of security companies has launched a massive counterattack to dismantle the network of zombie devices.
Last year, authorities and researchers conducted several operations against Badbox, a deadly botnet targeting Android devices. In December, the virus was removed from more than 30,000 Android devices by German police.
Partially short-circuited, the botnet quickly managed to find its way back to growth by hacking more than 150,000 terminals, mainly TV boxes, smartphones, tablets, or low-cost televisions. Sometimes, Badbox slips onto the device right out of the factory. In other cases, the virus hides in malicious applications.
The emergence of Badbox 2.0
As Human researchers report , the botnet has continued to grow in size in recent months. It has managed to infect more than a million Android devices spread across 222 different countries, including Brazil, the United States, Mexico and Argentina. According to researcher Fyodor Yarochkin, this is “only a fraction of the devices currently connected to their platform.” If we take into account “all the devices that could host their payload, the figure would probably exceed several million . “
Faced with the monstrous growth of the virus, Human has decided to refer to the botnet as Badbox 2.0. This name change also reflects a change in the arsenal of viruses used by hackers. Now, they are increasingly using malware hidden in software shared on legitimate platforms as a gateway.
True to its modus operandi, Badbox 2.0 still targets low-cost devices , such as tablets, digital projectors or Android TV boxes. Now, Badbox is also spreading to screens or multimedia devices intended for cars. Here again, the targets are distinguished by their low prices.
“As a consumer, keep in mind that if a device seems unusually cheap, there is a good chance that it is hiding unexpected surprises,” advises Fyodor Yarochkin of Trend Micro.
Why Google is Powerless
Not all of these devices are certified by Google, Human reports. They run the Android Open Source Project, the open source version of the operating system, and are all manufactured in mainland China. Contacted by Bleeping Computer, Google reiterated that “the infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”
“If a device is not Play Protect certified, Google has no record of the security and compatibility testing that has been performed on it. However, Android devices that are Play Protect certified undergo rigorous testing to ensure a safe and quality user experience. Users are encouraged to ensure that Google Play Protect, the malware protection built into Android and enabled by default on devices with Google Play Services, is enabled,” Google reports.
According to the investigation conducted by Human, several criminal groups are involved in the Badbox operation. This is a large-scale criminal offensive. Once Badbox is on a device, it will wait for the user to turn it on to be able to connect to the network. It will then download and install a module designed for fraud on the infected device. The malware orchestrates advertising fraud in particular. The virus takes advantage of this to collect a lot of personal data on the victims.
Most importantly, it uses the compromised device as a proxy server. Cybercriminals can use the infected terminal as part of cyberattacks or scams. In short, hackers can route their Internet traffic through these machines, thus hiding their true identity.
“Ad fraud, especially click fraud, happens in the background. However, the main source of revenue for cybercriminals is the resale of this proxy service. Victims are completely unaware that their device is being used as an intermediary: they never gave their consent to be used as a relay, but they are being exploited for this purpose anyway,” Gavin Reid, Human’s chief information security officer, told Wired.
The offensive against Badbox
With the support of partners such as Google, Trend Micro, and The Shadowserver Foundation, Human launched a major malware bypass operation. They managed to block more than 500,000 infected devices . In detail, the researchers cut off communications between the devices and the cybercriminals’ command and control servers. In fact, Badbox no longer receives instructions from the hackers. It then becomes inactive.
At the same time, researchers discovered traces of Badbox 2.0 on the Play Store. Hidden in the code of 24 Android applications , the virus infiltrated hundreds of thousands of Android smartphones. Some fraudulent apps had more than 50,000 downloads. Alerted by experts, Google promptly removed all the applications from its store. The group took the opportunity to strengthen Play Protect so that it could detect applications linked to Badbox.
Despite the efforts of Human and its partners, Badbox is not yet dead. The botnet maintains control over hundreds of thousands of Android devices located around the world. For the record, Badbox was first detected in 2023 on an Android TV box sold on Amazon.