- Security researchers HUMAN and partners disrupt BadBox 2.0 botnet
- They removed dozens of malicious apps from the Play Store, and sinkholed multiple domains
- The botnet targeted off-brand, low-cost Android devices
BadBox 2.0, the spiritual successor of the BadBox Android malware, has been disrupted after cybersecurity experts from the HUMAN’s Satori Threat Intelligence team, together with multiple partners, removed dozens of malicious apps from the Play Store, banned their developers, and sinkholed communications for hundreds of thousands of infected devices.
“The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally,” the researchers explained.
In total, 24 malicious apps on the Play Store distributing BadBox 2.0 were removed, and the developer accounts that uploaded these apps were banned from the platform. HUMAN then also sinkholed an undisclosed number of domains, effectively cutting off communications between the malware and the C2 servers – so in other words, the devices are still infected, but the malware is non-operational.
Sinkholing the domains
BadBox is a piece of malware that turns infected Android devices into residential proxies. They are used in ad fraud, credential stuffing, and other forms of cybercrime. Apparently, BadBox infected hundreds of thousands of devices, from TV streaming boxes, to smart TVs, and smartphones. No one knows exactly how these devices ended up being infected. Some believe they were compromised in early production, while others claim BadBox was dropped somewhere along the supply chain. In any case, these are overwhelmingly low-price-point, “off-brand”, or uncertified devices.
German authorities recently disrupted the operation within its borders, but that only sidetracked it a little. In the weeks following the operation, BadBox grew to more than a million infected devices (although they were mostly located outside Germany, in countries such as Brazil, the US, and Mexico).
Given its size and resilience, security researchers from HUMAN dubbed it “BadBox 2.0”. Now, together with Google, Trend Micro, The Shadowserver Foundation, and other partners, HUMAN disrupted the new operation in multiple ways.
As usual, the best way to defend against these attacks is to buy hardware and software from reputable sources, keep the assets updated, and monitor for malicious activity.
Via BleepingComputer
Leave a comment