The Resurgence of Badbox: A Growing Threat

The cyber landscape is once again under siege as the Badbox Botnet resurfaces in a more potent form. Dubbed BadBox 2.0,this evolved malware has already compromised over a million devices,primarily targeting those running AOSP (Android Open Source Project) firmware. This alarming development follows the original BadBox outbreak late last year, which crippled tens of thousands of IoT devices, including a disruptive incident in Germany where 30,000 drones were grounded.

Global Impact and Device Vulnerabilities

BadBox 2.0 preys on vulnerabilities in low-cost consumer electronics. The botnet primarily infects unbranded,non-certified connected TV boxes (CTVs),tablets,digital projectors,and other devices operating on AOSP-based firmware. Devices fortified with Google Play Protect or running Android TV OS remain largely unaffected, highlighting the importance of robust security measures.

Geographic Hotspots

according to recent analysis, Badbox 2.0 traffic has been detected across 222 countries and regions. The most significant concentrations of infected devices are currently in:

• Brazil (37.62%)
• USA (18.21%)
• Mexico (6.32%)

Following intervention against the original Badbox botnet, Germany has seen a significant reduction in infected devices.

Countermeasures and Collaborative Efforts

A coalition of cybersecurity firms and tech giants is actively combating Badbox 2.0. HumanSecurity, in collaboration with Google, Trend Micro, Shadowserver, and others, has made strides in disrupting the botnet’s infrastructure. These efforts aim to mitigate the damage caused by the widespread infection.

Google’s Response

Google has implemented several measures to protect users:

• Google Play Protect: Issues warnings against installing apps exhibiting BadBox-related behavior. This protection is enabled by default on devices with Google Play services.
• Account deactivation: Google has disabled publisher accounts within it’s advertising ecosystem that are linked to BadBox 2.0.

Users are strongly advised to ensure Google Play Protect is active on their Android devices and to verify their device’s google Play Protect certification.

Understanding the Threat: How Badbox 2.0 Operates

The functionalities of Badbox 2.0 mirror those of its predecessor. Infected devices are transformed into residential proxies, enabling malicious actors to mask their origins and utilize these devices as VPN endpoints. Furthermore, the botnet engages in advertising and click fraud by silently browsing websites, displaying advertisements, and generating artificial clicks. However,the capabilities of infected devices extend beyond these functions,as they can download additional APKs and execute further malicious code.

For detailed technical details, including indicators of Compromise (IOCs) such as device names and Command-and-Control (C2) server URLs, refer to the HumanSecurity blog post.

Android TV Boxes: A recurring Target

The prevalence of malware on Android TV boxes is a growing concern.In September of last year, cybersecurity firm Dr.Web discovered the “VO1D” malware infecting approximately 1.3 million Android TV boxes, highlighting the vulnerability of these devices.

Android TV boxes seem to be a popular vehicle for criminals.