The Badbox botnet, employing a new variant of the Badbox malware, has resurfaced, affecting as many as one million backdoored Android devices, according to Human Security’s Satori research team.

Badbox malware targets Android devices

The first outbreak of Badbox malware occurred in 2023, when researchers found off-brand Android-powered internet-connected TV devices—knockoffs of popular models like Apple TV, Roku, or Amazon Fire Sticks—participating in an expansive ad-fraud network named Peachpit. That initial cluster contained around 74,000 infected devices.

Badbox 2.0 continues to target Android devices, specifically hardware running the Android Open Source Project (AOSP). This variant has been identified in low-cost off-brand smartphones, additional internet-connected TV boxes, car-use tablets, and digital projectors.

You Might Also Like
New MacBook Pro to feature M2 chip comes in 2022
New MacBook Pro to feature M2 chip comes in 2022
TikTok BORAX TRAIN Trend
TikTok BORAX TRAIN trend: A dangerous path to avoid
Airpods Max is presented: specs, price and release date
Airpods Max is presented: specs, price and release date

Gavin Reid, CISO of Human Security, reported that the botnet’s operators often manipulate the supply chain by acquiring inexpensive hardware, rebranding it, embedding malware into its firmware or commonly used apps, and then selling these compromised products. Researchers identified over 200 infected apps on third-party Android app stores, many of which are ‘evil twins’—malicious versions of legitimate programs on Google’s Play Store

Reid stated, “The Badbox 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted, the number of devices infected, the different types of fraud conducted, and the complexity of the scheme.”

The malware has produced network traffic from 222 countries and territories since its detection last autumn, indicating its vast reach. The botnet primarily profits from hidden ads that users do not see, while also employing ad-click fraud.

Lindsay Kaye, vice president of threat intelligence at Human Security, explained that operators disguise their fraudulent techniques. If a legitimate ad network flags a surge in views or clicks from a specific area, it raises suspicions. Therefore, by disguising fraud across various internet-connected devices globally, they can evade detection.

Evidence also suggests that the malware has capability to steal passwords from infected devices. Although the botnet could facilitate denial-of-service attacks, Reid believes the operators prefer subtle ad fraud to avoid drawing undue attention.

The Badbox 2.0 botnet peaked at nearly one million infected devices, a number that has since been reduced by half due to efforts from Human Security, Google, Trend Micro, and the nonprofit Shadowserver Foundation. These organizations worked collaboratively to identify and disable command-and-control servers directing the infected devices, with Google monitoring for suspicious traffic.

In December 2024, Germany initiated a disruption by sinkholing over 30,000 Badbox-infected media devices, yet a larger botnet comprising over 190,000 devices was discovered shortly thereafter.

Human Security assessed that the botnet’s impact was underestimated initially, with Badbox 2.0 reportedly infecting over one million devices across more than 220 countries. Similar to its predecessor, this iteration exploits backdoored AOSP devices from multiple Chinese manufacturers.

The malware’s backdoor may be incorporated during manufacturing, downloaded from a command-and-control server at the first boot, or installed through third-party app stores by unaware users. The threat actors behind Badbox collaborate extensively; four groups have been identified: SalesTracker Group, MoYu Group, Lemon Group, and LongTV.

Human Security noted, “This wasn’t an attack by a single threat actor; this was a collection of threat actors sharing resources, targeting shared infrastructures.” To combat the botnet’s operations, ad fraud monetization prevention measures have been implemented, and accounts associated with the fraudulent schemes were deactivated.

Despite the efforts to mitigate its impact, experts caution that the disruption is unlikely to end the botnet entirely, as operators may adapt and rebuild their networks.

Users are advised to remove apps such as ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’ if found on their devices, and to ensure their Android devices are protected with active security solutions to prevent malicious app downloads and block harmful traffic.

Google Play Protect is designed to warn users and block apps exhibiting Badbox 2.0-related behavior on certified Android devices.

Featured image credit: Aytun Çelebi/Ideogram