The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. HUMAN says it also discovered 24 Android apps in the official app store, Google Play, that installed the BadBox malware on Android devices. Google removed the apps from Google Play and added a Play Protect enforcement rule to warn users and block the installation of apps associated with BadBox 2.0 on certified Android devices. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices," says Shailesh Saini, Google's Director of Android Security & Privacy Engineering & Assurance. Android devices infected with the BadBox malware will routinely connect to attacker-controlled command and control servers to receive new configuration settings and commands to execute on the infected device. Ultimately, as long as consumers buy AOSP-based Android devices like off-brand TV boxes, that lack official Google Play Services support, they are at risk of using hardware pre-loaded with malware. HUMAN told BleepingComputer that, in partnership with The Shadowserver Foundation, the researchers sinkholed nearly a thousand BADBOX 2.0 domains to prevent over 500,000 infected devices from communicating with command-and-control (C2) servers set up by threat actors. However, it is important to note that Google cannot disinfect non-Play Protect-certified Android devices sold globally, so while BadBox 2.0 has been disrupted, it has not been eliminated. "The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. The malware then turns the devices into residential proxies, generates fake ad impressions on the infected devices, redirects users to low-quality domains as part of fraudulent traffic distribution operations, and uses people's IPs to create fake accounts and perform credential stuffing attacks. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Devices connected to the BADBOX 2.0 operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN. The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 05 Mar 2025 16:45:25 +0000