Human Security’s Satori research team has unveiled a concerning development in the realm of cybersecurity: a new variant of the remote-controllable Badbox malware, which has reportedly infiltrated nearly a million Android devices, creating an extensive botnet. This alarming discovery follows the initial Badbox outbreak in 2023, when the team identified off-brand Android-powered internet-connected TV devices—imitation products akin to Apple TV, Roku, or Amazon Fire Sticks—infected with malware that contributed to a significant ad-fraud network known as Peachpit. The first cluster of Badbox comprised around 74,000 devices.
Badbox 2.0: A Broader Reach
Badbox 2.0 appears to be expanding its target range, focusing on devices running the Android Open Source Project (AOSP). This includes not only inexpensive off-brand smartphones but also various internet-connected TV boxes, tablets designed for automotive use, and digital projectors. Gavin Reid, Chief Information Security Officer at Human Security, explained that the botnet’s operators often exploit the supply chain by acquiring low-cost hardware, rebranding it, and embedding their malicious code into either the firmware or commonly used applications before reselling these compromised products.
Human Security’s researchers have identified over 200 applications infected with malware that contribute to the botnet, all of which are hosted on third-party Android app stores. Many of these applications are “evil twins” of legitimate programs available on Google’s Play Store. After the authentic apps are published, cybercriminals create and distribute similar packages on alternative software platforms, complete with the embedded malware. This tactic is particularly effective in developing regions where third-party app stores are prevalent, leading unsuspecting users to download and install these malicious versions.
“The Badbox 2.0 scheme is significantly larger and more sophisticated than what we observed in 2023,” Reid noted, highlighting the increase in targeted device types, the scale of infections, the variety of fraudulent activities, and the complexity of the operation.
Evidence suggests that this malware operation may involve collaboration among various criminal groups, as Satori researchers have identified four distinct factions, each managing different components of the Badbox initiative. All infected devices originate from China, and since the emergence of the 2.0 botnet last autumn, the malware has generated network traffic from 222 countries and territories recognized by the UN.
Monetization and Evasion Tactics
The botnet’s operators monetize their activities through hidden advertisements that users remain unaware of, while also engaging in ad-click fraud. Lindsay Kaye, Vice President of Threat Intelligence at Human Security, elaborated on the lengths to which these operators go to obscure their fraudulent practices. In scenarios where a legitimate ad network detects an unusual surge of ad views or clicks from a specific country, such as China, it raises alarms. However, by distributing the fraud across internet-connected devices worldwide, the operators can evade detection.
“If you’re coming from a residential address where 99.9 percent of the traffic is legitimate, and then the botnet operator activates ad fraud for a brief period, it becomes challenging to identify and block,” Kaye explained.
In addition to ad fraud, Satori’s findings suggest that the malware is capable of stealing passwords entered on infected devices. While the botnet could potentially be utilized for denial-of-service attacks, Reid suspects that the operators prefer to maintain a low profile to avoid drawing unwanted scrutiny.
At its peak, Badbox 2.0 had infected close to a million devices; however, thanks to collaborative efforts from Human Security, Google, Trend Micro, and the non-profit Shadowserver Foundation, that number has been reduced by half. These organizations have worked diligently to identify and dismantle command-and-control servers directing the compromised devices, with Google monitoring suspicious Android traffic and Human Security alerting companies to the ad fraud emanating from these devices.
Fortunately, the infections appear to have been detected early. Kaye noted that many of the malware modules examined were labeled “test,” indicating that the botnet was still in its nascent stages. Nevertheless, she anticipates that the criminals behind Badbox 2.0 will attempt to revive their nefarious network, likely altering their tactics to evade detection, as they did following the discovery of the original Badbox network.
Botnote
In related news, the newly identified Eleven11bot has emerged as a variant of Mirai malware, reportedly compromising thousands of devices, with a particular focus on HiSilicon-based hardware.
