A sprawling cyberattack operation dubbed BADBOX 2.0, impacting over one million Android devices worldwide, has been partially disrupted through collaborative efforts between HUMAN Security, Google, Trend Micro, Shadowserver, and other industry partners. This malicious botnet, an evolution of the original BADBOX discovered in 2023, represents the largest network of compromised connected TV (CTV) devices ever uncovered.
What is BADBOX 2.0?
BADBOX 2.0 is a botnet comprised of backdored, low-cost Android devices, primarily tablets, CTV boxes, digital projectors, and aftermarket vehicle infotainment systems manufactured in mainland China. These devices, running the Android Open Source Project (AOSP) rather than certified Android TV OS, are infected with malware either during the manufacturing process or through malicious applications downloaded from third-party marketplaces. The backdoors allow threat actors to remotely load and execute various fraud modules.
How the Backdoor Works?
The backdoor operates in a similar fashion to how the BADBOX infection did: when the device is first turned on, it contacts a C2 server and downloads a file. That file decrypts itself into the components responsible for persistence and communications and sets up subsequent downloads, which are responsible for the fraud itself.
In the BADBOX operation, the infection centered on a critical Android file, libandroid_runtime.so, that the threat actors modified. For BADBOX 2.0, the threat actors “improved” their attack.
This BADBOX 2.0 backdoor begins when a class named com.hs.app, buried deep in the source code, loads libanl.so, the library that deploys fraud mechanisms to a device accessible to the threat actors.
“We appreciate collaborating with HUMAN to take action against the BADBOX operation. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. Users should ensure Google Play Protect, Android’s malware protection that is on by default on devices with Google Play Services, is enabled.” said Google.
Impact of BADBOX 2.0
Once infected, these devices become part of a botnet, enabling a range of malicious activities, including:
- Programmatic Ad Fraud: Rendering hidden ads and navigating to ad-heavy websites to generate illegitimate ad impressions.
- Click Fraud: Automating clicks on ads to deplete advertiser budgets.
- Residential Proxy Services: Selling access to the device’s IP address, enabling malicious traffic routing and activities like account takeover (ATO), fake account creation, DDoS attacks, malware distribution, and one-time password (OTP) theft.
The scale of BADBOX 2.0 is significant, affecting devices in 222 countries and territories.
What’s Now?
While a partial disruption has been achieved, the threat is not entirely eliminated. Key actions taken include:
- Infrastructure Sinkholing: Redirecting traffic from command-and-control (C2) servers to disrupt botnet operations.
- Google Play Protect Enhancements: Google Play Protect now warns users and blocks apps exhibiting BADBOX-related behavior on certified devices.
- Malicious App Removal: 24 malicious apps associated with BADBOX 2.0 have been removed from the Google Play Store.
- Publisher Account Termination: Google has terminated publisher accounts linked to BADBOX 2.0 fraud schemes.
However, due to the supply chain infection, complete disruption remains challenging. Researchers at HUMAN Security continue to monitor the threat actors, who are known to adapt their tactics.
Recommendations:
- Stick to Reputable Brands: Choose devices from reputable manufacturers with a strong security track record.
- Ensure Google Play Protect Certification: Verify that Android devices are Google Play Protect certified.
- Regular Firmware Updates: Keep devices updated with the latest firmware, which often includes security patches.
- Active Security Solutions: Consider using active security solutions on Android devices to detect and block malicious apps and traffic.
