Researchers at HUMAN’s Satori Threat Intelligence team worked alongside Google, Trend Micro, The Shadowserver Foundation and others to disrupt the largest botnet of infected connected TV devices – BadBox 2.0.
A botnet of infected off-brand Android devices, the BadBox malware usually comes pre-loaded on TV streaming boxes, smart TVs, tablets, digital projectors, or smartphones. In this case, threat actors also operated hundreds of versions of popular apps to serve as an alternative backdoor delivery system. Fortunately, HUMAN's researchers were able to identify and then have 24 malicious “evil twin” apps spreading this malware removed from the Google Play Store.
In total, they were able to disrupt the botnet on over 500,000 Android devices, effectively sink holing communications to the malicious domains used by the hackers behind this campaign. The researchers have taken over thousands of these BadBox 2.0 domains to prevent the infected devices from communicating with the command-and-control (C2) servers set up by these cybercriminals which also allows them to monitor the connections and gather data about the botnet.
What is BadBox 2.0?
A malware-based botnet, BadBox 2.0 uses lower-cost, off-brand Android devices to commit malicious acts including fraud. The original BadBox malware infected 74,000 devices and was disrupted or made dormant in October 2023.
This new version, BadBox 2.0, has infected more than 1 million devices according to HUMAN. The majority of the infections appear to be focused on Brazil (37.6%), followed by the U.S. (18.2%), Mexico (6.3%) and Argentina (5.3%).
The infected devices which consist of Android TV streaming boxes, smart TVs, smartphones, tablets, and digital projectors among other things, often arrive with malware pre-loaded directly from the manufacturer. Or they are infected and added to the botnet via malicious “evil twin” apps or firmware downloads. HUMAN pointed out in a blog post that “the infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”
Once installed, the BadBox malware turns the infected devices into residential proxies. They then routinely connect to attacker-controlled C2 servers to receive new commands and to send back stolen data like passwords. These commands may be used to launch credential stuffing attacks, create fake accounts, fake ad impressions, or to redirect users to low-quality domains for a fraudulent traffic distribution operation.
How to stay safe from BadBox 2.0
Google has already removed the malicious apps discovered by HUMAN's researchers from the Play Store and added a Play Protect enforcement rule to warn users as well as to block the installation of apps associated with BadBox 2.0 on any certified Android devices.
However, because the search giant cannot disinfect non-Play Protect Android devices, BadBox cannot be entirely eliminated. A list of devices that are known to be affected by the current version of BadBox can be found at the very bottom of Human's report linked above. If you have a device on that list, it's unlikely that you will be able to update it with clean firmware. Your most secure option is to disconnect that device from the internet, or better still, replace it with a certified device from a reputable brand.
"If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results." a Google spokesperson explained in a statement to BleepingComputer. "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is one by default on devices with Google Play Services, is enabled.”
Consumers who want to stay safe should avoid buying AOSP-based Android devices like off-brand TV boxes that lack official Google Play Services support. Additionally, always make sure to keep your firmware up to date and install the latest security patches as soon as they become available on whichever of the best streaming devices you're currently using.
You also want to avoid sideloading apps and stick to only using ones from the Google Play Store and other official app stores. Likewise, Android TV devices can have their remote access features disabled when not in use, which takes them offline. This can provide an extra layer of security to protect your devices and your data if they've unknowingly become part of a botnet
It might also be worth investing in one of the best Wi-Fi routers or the best mesh Wi-Fi systems with security software built-in. While the best antivirus software can keep your PC safe from malware, network-wide security solutions like Netgear's Armor or TP-Link's HomeShield protect all of the devices connected to your home network from viruses and other threats. If you want our recommendation for best Android TV box, we still really like the Nvidia Shield even if it is now several years old at this point.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
