BadBox Malware Infects 192K Android Devices Despite Crackdown

The BadBox Android malware botnet has now infected over 192,000 devices globally, despite recent attempts to disrupt its operations in Germany. Researchers report that this a sophisticated malware is targeting not just obscure Chinese devices. This malware also well-known brands such as Yandex TVs and Hisense smartphones.

BadBox, linked to the notorious Triada malware family, infiltrates devices via supply chain attacks, compromised firmware, or during distribution. It first came to light in early 2023 when a Canadian security consultant found it on a T95 Android TV box. Since then, the BadBox malware has spread to other lesser-known products that available online.

The malware’s primary goal is financial exploitation. It transforms infected devices into residential proxies or uses them for ad fraud. Residential proxies rented to third parties, including cybercriminals, can enable further malicious activities. Additionally, BadBox can install other harmful software, significantly amplifying its danger.

Last week, Germany’s cybersecurity agency disrupted part of the operation by cutting off one of the malware’s command and control servers. This action severed communication with approximately 30,000 devices, mostly Android-based digital picture frames and streaming boxes. However, researchers confirm the botnet continues to grow unchecked, with its presence detected in new device categories.

Recent findings revealed that 160,000 infected devices are Yandex 4K Smart TVs, with a significant concentration in Russia. Other affected regions include China, India, Belarus, Brazil, and Ukraine. Although Germany’s efforts were localized, they had no long-term effect on the botnet’s global reach.

Preventing Future Infections

To mitigate the threat like this, users should promptly apply firmware updates, keep smart devices isolated from critical systems, and disconnect unused devices from the internet. If no updates are available, consider removing the devices from your network. Recognizing signs of infection, such as overheating, slow performance, or unusual network activity, is crucial for timely action.