Human Security’s Satori research team says it has found a new variant of the remote-controllable Badbox malware, and as many as a million infected Android devices running it to form a massive botnet.
The infosec outfit spotted the first Badbox outbreak in 2023, when it found off-brand Android-powered internet-connected TV devices – knockoffs of kit like Apple TV, Roku, or Amazon Fire Sticks – contaminated with malware that participated in a colossal ad-fraud network called Peachpit. Around 74,000 devices participated in the first Badbox cluster.
Badbox 2.0 apparently again targets Android, this time hardware running the base Android Open Source Project, aka AOSP, and has been spotted in cheap off-brand phones, more net-connected TV boxes, tablets sold for use in cars, and digital projectors.
Gavin Reid, CISO of Human Security, told The Register the botnet’s herders sometimes spread their software nasty by intervening in the supply chain to buy cheap hardware, rebadge it, install their evil code in either firmware or an app users are likely to use often, then resell the poisoned products.
The Human Security researchers also said they found more than 200 apps infected with malware that participates in the botnet, all hosted on third-party Android app stores. Most are “evil twins” of legit programs submitted to Google’s Play Store. After those legit apps appear, crooks create and publish very similar packages on third-party software souks – complete with the malware. Users of third-party app stores – which are big in the developing world – are fooled into downloading and installing the evil twins.
“The Badbox 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted, the number of devices infected, the different types of fraud conducted, and the complexity of the scheme,” Reid said.
It may also be the result of collaboration among crims, as Satori researchers have identified four sets of miscreants they believe each run different aspects of the Badbox operation.
All the infected devices are made in China, and the malware they run has produced network traffic from 222 countries and territories (the UN recognizes 248) since the 2.0 botnet was first spotted last northern autumn.
The network botnet is monetized with hidden ads that users never see, but which advertisers are told have been eyeballed. Ad-click fraud is another tactic.
Lindsay Kaye, vice president of threat intelligence at Human Security, told us the botnet’s operators work hard to disguise their fraudulent activities. If a legit ad network detects a whole load of ad views or clicks in a country like China, it’ll raise a red flag. So, if that fraud takes place on internet-connected boxes around the world, it’s harder to spot and block.
“If you’re coming from a server in China, it may be very easy for people to detect all of the data that’s coming as ad fraud, right? None of it’s good,” she said.
“But if you’re coming from a residential house where 99.9 percent of the traffic’s good, and then they [the botnet operator] just switch it on for a little bit, do a little bit of ad fraud, and then switch over to someone down the road. They can blend this in and be extremely effective, and then kind of get around a lot of the controls that most companies have in place to prevent fraud.”
Satori also found evidence that the malware is stealing passwords entered into infected hardware.
Got one of these? Now might be a good time to pull the plug … Human Security’s examples of potentially infected devices
Click to enlarge. Source: Human Security
The botnet could be used for denial of service attacks, but Reid thinks its operators know doing so would attract unwelcome attention, hence the quiet low-key fraud.
At its peak Badbox 2.0 infected nearly a million devices, but that number has been halved thanks to work by Human Security, Google, Trend Micro, and the non-profit Shadowserver Foundation. Those players worked to identify and shut down command-and-control servers directing the hijacked equipment, Google has watched for suspicious Android traffic, and Human has alerted companies to ad fraud coming from these devices.
Another piece of good news is that the infections appear to have been caught early. Kaye noted that when examining the modules of the malware, many were marked “test,” indicating the botnet was in its early days.
However, she feels it’s likely the criminals behind Badbox 2.0 will try to revive their evil network, and hide their activities by changing behavior – as was the case after researchers found the first Badbox network. ®