The Android Malware Botnet Badbox has been disturbed again by removing 24 malicious applications from Google Play and Swinkholing communications for half a million infected devices.
Badbox Botnet is a cyber-fraude operation mainly targeting low-cost Android devices such as TV streaming boxes, tablets, smart televisions and smartphones.
These devices are delivered preloaded with the manufacturer’s malware badbox or are infected with malicious applications or firmware downloads.
The malware then transforms the devices into residential proxys, generates false impressions of ads on infected devices, redirects users to low quality fields in the context of fraudulent traffic distribution operations and uses people’s IPs to create false accounts and carry out identification jam attacks.
Last December, the German authorities disrupted malware for infected devices in the country. However, a few days later, Bitsight reported that malware had been found in at least 192,000 aircraft, showing resilience against the actions of the police.
Since then, it has been estimated that the Botnet has increased to more than 1,000,000 infections, which concerns Android devices in 222 countries, mostly located in Brazil (37.6%), the United States (18.2%), Mexico (6.3%) and Argentina (5.3%).
Source: Human
New Badbox disturbance
The Human STORI Threat Intelligence team led the latest disturbance operation in collaboration with Google, Trend Micro, Shadowserver Foundation and other partners.
Due to the sudden inflation of the botnet, Human now calls it “Badbox 2.0”, indicating a new era in its operation.
“This scheme had an impact more than a million consumption devices. The devices connected to the Badbox 2.0 operation included lower prices, “out of brand”, not certified tablets, connected television boxes (CTV), digital projectors, etc., ” Explain human.
“Infected devices are Android open source project devices, not Android TV OS or Play Protect Certified Android devices. All these devices are made in continental China and shipped worldwide; Indeed, man observed the traffic associated with Badbox 2.0 222 countries and territories in the world. “”
Human says they have found evidence that the botnet serves and is supported by multiple threat groups with distinct roles or advantages.
These groups are Salestracker (Infrastructure Management), Moyu (Stolen and Botnet development), lemon (advertising fraud campaigns) and longv (development of malware).
Android devices infected with badbox malware will regularly connect to control and control servers controlled by the attacker to receive new configuration parameters and commands to be executed on the infected device.
Human said to Bleeping Compompute that, in partnership with the Shadowserver Foundation, the researchers have flowed an unhappy number of Badbox 2.0 domains to prevent more than 500,000 infected devices from communicating with command and control servers (C2) put in place by threat actors.
When an area is sunk, it is taken up by researchers, allowing them to monitor all connections established by devices infected with this area and to collect data on the botnet. As the infected devices can no longer connect with the areas controlled by the attacker, the malware is put in a sleeping state, effectively disturbing the infection.
Human says he also discovered 24 Android applications in the official app store, Google Play, which installed badbox malware on Android devices. Certain applications, such as “winning additional income” and “pregnancy ovulation calculator” from Seekkiny Studio, have had more than 50,000 downloads each.
Source: Human
Google has deleted Google Play applications and added a protective application protection rule to warn users and block the installation of Applications associated with Badbox 2.0 on certified Android devices.
In addition, the technology giant ended the accounts of publishers who have engaged in advertising fraud associated with the Badbox operation, preventing monetization via Google Ads.
However, it is important to note that Google cannot disinfect the non -certified Android devices sold worldwide, so although Badbox 2.0 has been disturbed, it was not eliminated.
In the end, as long as consumers buy Android devices based on AOSP such as off -brand television boxes, which lack official management of Google Play services, they may use preloaded hardware with malware.
A list of devices known to be affected by badbox malware is listed below:
| Device model | Device model | Device model | Device model |
| TV98 | X96q_max_p | Q96L2 | X96Q2 |
| X96Mini | S168 | UMS512_1h10_natv | X96_s400 |
| X96Mini_rp | Tx3mini | Hy-001 | MX10Pro |
| X96mini_plus1 | Longv_GN7501E | XTV77 | Netbox_b68 |
| X96q_pr01 | AV-M9 | Adt-3 | Ocbn |
| X96Mate_plus | Km1 | X96q_pro | Projector_t6p |
| X96QPro-TM | SP7731E_1H10_Native | M8SPROW | TV008 |
| X96Mini_5g | Q96MAX | Orbsmart_tr43 | Z6 |
| Tvbox | Clever | Km | A15 |
| Transition | Km7 | Isinbox | I96 |
| Smart_tv | Fujicom-SmartTV | MXQ9Pro | Mbox |
| X96q | Isinbox | Mbox | R11 |
| Gaming box | Km6 | X96max_plus2 | TV007 |
| Q9 Stick | SP7731E | H6 | X88 |
| X98K | Txcz |
In response to the disturbance, Google shared the following declaration with Bleeping Computer.
“We appreciate the collaboration with Human to take measures against the Badbox operation and protect consumers against fraud. Infected devices are open source Android project devices, not Android TV OS or Play Protect Android certified devices”, explains Shailesh Saini, director of engineering and insurance of security and confidentiality of Google de Google.
“If a device is not a certified protection reading, Google has no recording of the results of safety and compatibility tests. Play Protect The certified Android devices are undergoing in -depth tests to guarantee the quality and safety of users. Users must ensure that Google Play Protect, the protection of malware from Android which is by default on the devices with Google Play Services, is activated. “
If you have one of the above devices, it is likely that you will not be able to obtain clean firmware for them.
Instead, these devices must be replaced by those of the reputed brands. If it is impossible to replace the device, they must be disconnected from the Internet.
