BADBOX 2.0 Malware Targets More Than One Million Android Devices in Worldwide Cyber Attack

A groundbreaking discovery by HUMAN Security, in partnership with Google and other cybersecurity leaders, has revealed the BADBOX 2.0 malware that has compromised over one million Android devices globally, marking it as one of the most extensive cyberattacks on connected technology to date.

Short Summary:

• BADBOX 2.0 infects more than one million Android devices, overshadowing its predecessor’s impact.
• Collaborative efforts among cybersecurity companies aim to disrupt this significant botnet operation.
• The malware exploits vulnerable, non-branded devices for diverse fraudulent activities.

In a major revelation, HUMAN Security, a renowned cybersecurity organization, uncovered BADBOX 2.0, a comprehensive malware campaign that has successfully infected over one million Android devices worldwide. This new wave of malicious activity represents a significant evolution over the original BADBOX operation, which was disrupted in October 2023. According to Gavin Reid, the Chief Information Security Officer at HUMAN, the scale and complexity of BADBOX 2.0 far exceed its predecessor, indicating a coordinated effort by multiple threat actor groups to exploit vulnerable connected devices, particularly low-cost Android devices that do not undergo conventional security checks.

With less than a year between the two iterations, BADBOX 2.0 is now believed to enlist devices including off-brand Android tablets, smart TVs, and digital projectors from a wide array of manufacturers, primarily based in China. The previous operation impacted approximately 74,000 devices, but this latest investigation indicates that the sullied scope now includes more than 1 million devices across 222 countries and territories. This alarming development illustrates the ongoing adaptability and resourcefulness of cybercriminal networks, as they continuously seek new methods to exploit weaknesses in the ever-connected digital landscape.

HUMAN’s Satori Threat Intelligence and Research Team has been diligently mapping the changes that BADBOX 2.0 has undergone since its inception. The malware operates through illegal means such as backdoored firmware and malicious applications installed usually during the device setup process or through third-party app marketplaces. This multifaceted operation involves selling user information, generating fraudulent ad interactions, and establishing networks for housing additional criminal activity—highlighting the interconnected risks faced by individual users who unknowingly contribute to these scams.

“In essence, many users are blissfully unaware that their purchase was not just a simple transaction but a launchpad for a multitude of cybercrimes,” Reid asserts. “The primary monetization strategy is utilizing the infected devices as residential proxy services, allowing attackers to mask their web traffic while they partake in illegal activities.”

BADBOX 2.0 facilitates several forms of fraud, as outlined by HUMAN’s research:

1. Programmatic Ad Fraud: This includes the presentation of hidden advertisements via preinstalled applications and misleading webviews that redirect victims to ad-heavy gaming sites.
2. Click Fraud: Automated click-throughs from infected devices result in draining advertiser budgets while clicking on low-quality domains.
3. Residential Proxy Node Creation: This allows attackers to route internet traffic through the IP addresses of compromised devices, facilitating various illicit activities.
4. Account Takeover and Data Theft: The botnet enables fake account creation, credential theft, sensitive information exfiltration, and Distributed Denial-of-Service (DDoS) attacks, often orchestrated by secondary threat actors.

The complexity of BADBOX 2.0’s operations has been further underscored by the emergence of “evil twin” apps—malicious applications masquerading as legitimate in the Google Play Store. Research has surfaced at least 24 such apps that have been linked to billions of fraudulent ad requests.

“It takes a proactive approach to protect consumers and businesses from such a sophisticated cyber scheme like BADBOX 2.0,” states Lindsay Kaye, Vice President of Threat Intelligence at HUMAN. “The reality is that certain fraud modules we identified might not yet be operational, meaning the potential for future attacks is still out there.”

As part of the response to BADBOX 2.0, companies like Google have been critical in curbing ad fraud linked to the scheme by terminating publisher accounts associated with the nefarious activities and enhancing the protective capabilities of Google Play Services.

Shailesh Saini, Director of Android Security at Google, expressed that “the infected devices are not certified Android TV OS devices, which means they lack the standard security and compatibility checks.” As a result, users are urged to ensure that Google Play Protect, which serves as a core malware protection feature on Android devices, is enabled and functioning.

While these collaborative efforts have started to neutralize some elements of the BADBOX 2.0 infrastructure, experts caution that the adaptability of these cybercriminal entities means that a holistic eradication of the threat is still challenging. Proactive action is suggested for users to tighten their cybersecurity posture, especially when engaging with lesser-known or off-brand devices.

The recommendations include:

• Regularly updating software and firmware to protect against known vulnerabilities.
• Avoiding the use of dubious third-party marketplaces for app downloads.
• Disconnecting any suspicious IoT devices from home networks to prevent unauthorized access.
• Monitoring internet traffic for unusual activity that could indicate compromises.

Furthermore, researchers from Trend Micro contributed substantial insights during the investigation, revealing that the operations of the BADBOX 2.0 botnet appear to be interconnected with Chinese gray market advertising networks. Fyodor Yarochkin, a senior threat researcher at Trend Micro, emphasized the operational scale of BADBOX 2.0, indicating, “the number of connected devices may easily be in the millions, given the various ways in which the malware can propagate.”

The damage wrought by BADBOX 2.0 stems from the systemic weaknesses of low-cost Android devices, which create ample opportunities for exploitation through supply chain manipulations. There is a growing concern about the widespread nature of such vulnerabilities, especially as more consumers adopt smart devices without fully understanding the potential risks they may include.

Importantly, consumers should remain ever-vigilant and skeptical of products that seem too good to be true. Trend Micro’s Yarochkin aptly summarized, “If the device is too cheap to be true, be prepared for hidden surprises.”

In response to this critical situation, the Federal Bureau of Investigation (FBI) has also issued public service announcements, raising awareness about the dangers posed by compromised IoT devices that could unknowingly become part of the BADBOX 2.0 botnet. The FBI advises vigilance and immediate assessment of suspicious devices to safeguard personal and business networks.

By continuing to invest in research, establish protective measures, and educate consumers, the ongoing battle against cybersecurity threats like BADBOX 2.0 can gain critical momentum. Preventing the spread of such malware operations is a shared responsibility among developers, users, and industry stakeholders, reinforcing the necessity for robust cybersecurity training, monitoring, and infrastructure.

For the complete technical report and a list of affected device models, readers are encouraged to visit the HUMAN Security blog. Maintaining awareness and staying informed can be pivotal in navigating the potentially hazardous landscape of connected technologies.

For more information on best practices to ensure safe usage of devices in the home and protect against cyber threats, please refer to credible cybersecurity resources.