Cybersecurity researchers have uncovered a significant malware operation known as BadBox 2.0, which has compromised over 1 million Android devices worldwide. This operation primarily affects off-brand devices such as connected TVs, smartphones, tablets, digital projectors, and aftermarket car infotainment systems. The good news is that the botnet has been disrupted. As reported by BleepingComputer, researchers have blocked communications for over 500,000 infected Android devices and removed 24 harmful apps from Google Play. While this is a win, the threat is not completely gone.
BadBox is a type of malware that infects cheap Android devices like TV streaming boxes, tablets, smart TVs, and smartphones. Some devices come with the malware already installed, while others get infected through bad apps or firmware updates.
BadBox 2.0 is an evolved version of the original BadBox malware. It begins with a backdoor installed on these off-brand devices. It allows cybercriminals to deploy various fraud modules. The infected devices are then used for multiple fraudulent activities. It displays hidden ads and uses WebViews to generate illegitimate ad revenue. The malware also directs users to low-quality domains to simulate clicks on advertisements. It also turns devices into proxy nodes, facilitating activities like account takeovers, fake account creation, credential theft, data exfiltration, and Distributed Denial of Service (DDoS) attacks.
The BadBox 2.0 operation has reached devices in 222 countries and territories, with the highest infection rates observed in Brazil, the United States, Mexico, and Argentina.
Last year, German authorities tried to stop BadBox, but it quickly spread again, infecting even more devices. At its worst, the botnet had over 1 million infected devices across 222 countries. This latest action was led by HUMAN’s Satori Threat Intelligence team, working with Google, Trend Micro, and The Shadowserver Foundation.
By blocking nearly 1,000 domains used by the malware, researchers stopped infected devices from communicating with hacker-controlled servers. This made the malware inactive. Google also removed 24 dangerous apps from the Play Store, including ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator,’ both downloaded over 50,000 times.
Google has improved its Play Protect security to stop further infections on certified devices. However, the biggest problem is that Play Protect cannot clean devices that are not officially certified. Many low-cost, off-brand Android devices—especially those running AOSP (Android Open Source Project) software – are still at risk.
While the disruption of BadBox 2.0 is a major victory, it does not mean the threat has been completely eliminated. The malware is still present on many uncertified devices that cannot receive Google’s security updates. Additionally, new variants of the malware could emerge, adapting to the latest security measures.
Cybercriminals behind BadBox 2.0 are intelligent, and they have already demonstrated the ability to evolve their tactics. The possibility of similar malware campaigns in the future remains high. Users who own infected or vulnerable devices should take immediate steps to minimize their risk. They should disconnect compromised devices from the internet and replace them with more secure alternatives.
To protect your device against threats like BadBox 2.0, you should always follow these recommendations.
- Purchase Devices from Reputable Brands: Always purchase devices from well-known manufacturers to reduce the risk of pre-installed malware.
- Use Official App Marketplaces: Download apps only from official sources like the Google Play Store to minimize exposure to malicious applications. If you want to download an APK, download it from a trusted APK download website.
- Verify Device Certification: Ensure your Android device is Google Play Protect-certified, as certified devices undergo extensive testing to ensure quality and user safety.
While the disruption of BadBox 2.0 is a commendable step, the threat is still there. So, users must stay cautious, choose secure devices from reputed brands, and rely on official marketplaces for apps to minimize risks.
