BadBox Botnet Expands to Over 192,000 Devices Worldwide
December 20, 2024
Despite a recent police operation in Germany aimed at disrupting the BadBox malicious campaign, the Android botnet has expanded significantly, compromising over 192,000 devices globally.
As BleepingComputer reported, cybersecurity experts have revealed that the malware’s reach now includes devices from well-known brands.
A broader targeting range
BadBox was initially confined to low-cost, knockoff Android devices. However, recent developments have shown the malware has also infiltrated trusted brands.
Security researchers suspect this alarming development is due to insider manipulation, firmware supply chain attacks, or malware injections performed during product distribution.
Origins and evolution
Believed to be derived from the Triada malware family, BadBox first surfaced in early 2023 when researchers discovered it on a T95 Android TV box.
The malware’s core functionality revolves around zombifying devices, turning them into residential proxies and perpetrating ad fraud. Residential proxies enable threat actors to obfuscate their activities, while ad fraud simulates ad interactions to generate illicit revenue.
To make matters worse, BadBox also facilitates the installation of further malicious payloads, propagating and amplifying its destructive capabilities.
A large-scale threat
Researchers previously estimated the peak of BadBox-infected devices at 74,000. However, a recent investigation revealed that the malware amassed over 192,000 compromised systems worldwide.
It is worth mentioning that most of these infections were spotted in China, India, Russia, Brazil, Belarus and Ukraine.
Cybersecurity experts used a tactic known as sinkholing to divert traffic from one of BadBox’s command-and-control (C2) servers and monitor incoming connections from compromised devices.
Connection attempts from over 160,000 unique IP addresses were recorded within 24 hours, leading researchers to believe that the malware is not only active but also expanding.
Germany’s recent effort against BadBox
Last week, Germany’s Federal Office for Information Security (BSI) disrupted a BadBox C2 server, cutting off communication for about 30,000 Android devices within the country.
While the operation was a localized victory, it barely affected the malware campaign on a larger scale. The effort’s limited geographic scope allowed BadBox to carry out its malicious activities in other regions unhampered.
Indicators of compromise and protective measures
Consumers should watch out for signs of a BadBox infection, which may include:
- Overheating: Caused by high processor usage
- Performance spikes: Sluggish behavior and unexpected application crashes
- Suspicious network traffic: Unusual data usage patterns or connections to unknown servers
- Configuration modifications: System settings modifications without user input
Users should take the following steps to mitigate exposure to BadBox malware:
- Prioritize applying firmware updates: Ensure all devices are running the latest software versions
- Isolate smart devices: Segregate potentially vulnerable devices from critical systems within the network
- Disconnect when not in use: Minimize exposure by turning off devices or disconnecting them from the internet
- Retire old or unsupported devices: If updates are unavailable, consider disconnecting or replacing the device entirely
tags
Author
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsRight now Top posts
Beware of Scam Emails Seeking Donations for UNICEF or Other Humanitarian Groups
December 19, 2024
Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
November 14, 2024
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
