BADBOX 2.0 Botnet Infects Million-Plus Devices, FBI Says
The BADBOX botnet campaign, which came into the public eye in 2023 and was disrupted by German authorities a year later, is gaining speed again with the latest iteration that is armed with more capabilities and has infected more than one million home internet-connected devices.
The FBI this month issued a warning about the rising threat – BADBOX 2.0 – that is exploiting internet of things (IoT) systems ranging from TV streaming devices and digital projectors to aftermarket infotainment systems in vehicles and digital picture frames. The majority of infected devices were made in China, according to the agency.
“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI wrote in the alert.
With the initial BADBOX campaign, hackers were able to access devices and networks through Android devices compromised with a backdoor before they were bought. The latest iteration has some new tricks.
“BADBOX 2.0, in addition to compromising devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces,” the FBI wrote. “The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity.”
A Warning From Human Security
The agency’s alert came three months after cybersecurity vendor Human Security wrote about the rise of BADBOX 2.0, noting that the backdoor it uses is distributed either pre-installed on the device – like BADBOX is – retrieved from the C2 server that is contacted after the first boot, or downloaded b unknowing users from third-party marketplaces.
Like the initial threat, BADBOX “begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely,” researchers with Human’s Satori Threat Intelligence unit wrote in a report. “These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors. The BADBOX and BADBOX 2.0 threat actors exploit software or hardware supply chains or distribute seemingly benign applications that contain ‘loader’ functionality in order to infect these devices and applications with the backdoor.”
Once in the networks, the hackers can run several attacks, from ad and click fraud and account takeover to distributing malware, creating fake accounts, stealing one-time passwords and running distributed denial-of-service (DDoS) attacks.
The attacks are widespread, snaking out to more than one million consumer devices through the China-built systems. In addition, Human researchers have BADBOX 2.0-associated traffic from 222 countries and territories, reflecting its global reach.
Partial Disruption
The Satori researchers said they worked with counterparts at Google – as well as Trend Micro and Shadowserver – to partially disrupt the infrastructure behind the latest iteration of the botnet malware. The built-in malware and unwanted software protections in Google Play Connect will automatically warn users and block apps that exhibit behavior associated with BADBOX at the time of installation on Play Protect-certified Android devices.
The IT giant is also terminating publisher accounts associated with BADBOX 2.0 from the Google Ad ecosystem and is recommending users check to ensure their devices are certified for Google Play Protect.
At Least Four Threat Actors Involved
Satori researchers connected four known Chinese threat groups to BADBOX 2.0 based on the C2 servers they share. They said that SalesTracker Group is likely responsible for the BADBOX campaign and staged and managed the C2 infrastructure for BADBOX 2.0. MoYu Group developed the backdoor used by BADBOX 2.0, coordinated variants of the backdoor and devices they were installed on, and operated a botnet comprising some of the devices infected by BADBOX 2.0.
It ran a click fraud campaign and made it possible to run a programmatic ad fraud operation.
Lemon Group is connected to the residential proxy services created in BADBOX and an ad fraud campaign leveraging a network of HTML5 game websites using BADBOX 2.0 infected devices.
Beware LongTV
Meanwhile, LongTV is a brand from a Malaysian internet and media company that runs connected TV devices and develops apps for them and other devices from the Android Open Source Project.
“Several LongTV-developed apps are responsible for an ad fraud campaign centered on hidden ads based on an ‘evil twin’ technique,” the researchers wrote, adding that the technique “centers on malicious apps distributed through non-official channels representing themselves as similar benign apps distributed through official channels which share a package name.”
The FBI recommended users keep an eye out for possible indicators of BADBOX 2.0 activity, including suspicious app marketplaces, apps that require Google Play Protect settings to be disabled, generic TV streaming devise touted for being unlocked or able to access free content, IoT devices from unrecognizable brands, and Android devices that are not Play Protect-certified.
