{"id":2225,"date":"2025-03-06T11:37:20","date_gmt":"2025-03-06T11:37:20","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2225"},"modified":"2025-03-06T11:37:20","modified_gmt":"2025-03-06T11:37:20","slug":"badbox-android-botnet-disrupted-through-coordinated-threat-hunting","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2225","title":{"rendered":"Badbox Android botnet disrupted through coordinated threat hunting"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Badbox, the notorious Android malware botnet, has been disrupted for a third time in 15 months, with over half a million infected machines now sinkholed.<\/p>\n<p>A co-ordinated effort led by the bot detection and mitigation platform, Human Security, will likely cripple the suddenly inflated cybercrime operation that has compromised over one million Android devices worldwide.<\/p>\n<p>\u201cHuman\u2019s Satori Threat Intelligence and Research team recently uncovered and \u2014 in collaboration with Google, Trend Micro, Shadowserver, and other partners \u2014 partially disrupted a complex and expansive fraud operation dubbed \u2018Badbox 2.0\u2019,\u201d Human researchers said in a blog post.<\/p>\n<p>The Badbox botnet operation distributes malware through compromised consumer electronics, primarily Android-based TV boxes.<\/p>\n<h2 class=\"wp-block-heading\">Operation grew multifold since the earlier busts<\/h2>\n<p>Satori researchers observed the evolution of the Badbox operation into Badbox 2.0, confirming that disruption was merely a temporary setback for the threat actors. Following the <a href=\"https:\/\/www.humansecurity.com\/company\/satori-threat-intelligence\/badbox\/\">first disclosure in 2023<\/a>, the C2 servers powering Badbox were shut down, and infected devices were removed from major marketplaces.<\/p>\n<p>However, attackers quickly adapted, making minor tweaks to evade detection, which apparently survived a second major takedown by the <a href=\"https:\/\/www.csoonline.com\/article\/3625293\/hacker-knacken-das-smart-home.html\">German authorities in December 2024<\/a>.<\/p>\n<p>\u201cThe BADBOX 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted, the number of devices infected, the different types of fraud conducted, and the complexity of the scheme,\u201d Gavin Reid, CISO of Human, said in a press statement. \u201cThis operation embodies the interconnected nature of modern cyberattacks and how threat actors target the customer journey and demonstrates why businesses require full-spectrum protection from the impacts of digital fraud and abuse.\u201d<\/p>\n<p>The investigation revealed deceptive tactics used by the attackers, including a fake version of Saletracker, a module originally designed for sales monitoring by a Chinese device manufacturer. The attackers disguised their Triada-based backdoor under this fake module, using it as a cover for controlling infected devices.<\/p>\n<p>Additionally, the threat actors established a series of domains to host new C2 servers. By spring of 2024, Satori researchers identified new test versions of backdoors linked to these C2 servers.<\/p>\n<p>\u201cSatori identified more than 1 million devices that were infected in Badbox 2.0, up from the 74,000 in the original Badbox scheme,\u201c Human<a href=\"https:\/\/www.humansecurity.com\/learn\/blog\/satori-threat-intelligence-disruption-badbox-2-0\/\"> added<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">Badbox 2.0 operates multiple frauds<\/h2>\n<p>Badbox 2.0 infiltrates low-cost consumer devices with backdoors, allowing threat actors to remotely deploy fraud modules.<\/p>\n<p>These devices connect to actor-controlled C2 servers to, on activation, potentially carry out multiple attacks, including programmatic ad fraud, click fraud, and residential proxy servers \u2014 which in turn facilitate attacks like account takeover, fake account creation, <a href=\"https:\/\/www.csoonline.com\/article\/571981\/ddos-attacks-definition-examples-and-techniques.html\">DDoS<\/a>, malware distribution, and one-time-password (OTP) theft.<\/p>\n<p>\u201cBadbox 2.0 threat actors also operated over 200 re-bundled and infected versions of popular apps listed on third-party marketplaces and served as an alternative backdoor delivery system,\u201c researchers added. Of these, the team identified 24 \u201cevil twin\u201d apps with corresponding \u201cdecoy twin\u201d apps on the Play Store, through which ad fraud is conducted.<\/p>\n<p>Human collaborated with Google to take these apps off Google Play. \u201cWe appreciate collaborating with Human to take action against the Badbox operation and protect consumers from fraud,\u201d Shailesh Saini, Director of Android Security &amp; Privacy Engineering &amp; Assurance, Google, said in a press statement.\u201cThe infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.\u201c<\/p>\n<p>Users should ensure Google Play Protect, Android\u2019s malware protection that is switched on by default on devices with Google Play Services, is enabled, Saini added. Human Security, in collaboration with the internet security group Shadowserver Foundation, sinkholed multiple Badbox 2.0 domains, disrupting communication between over 500,000 infected devices and the botnet\u2019s C2 servers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Badbox, the notorious Android malware botnet, has been disrupted for a third time in 15 months, with over half a million infected machines now sinkholed. A co-ordinated effort led by the bot detection and mitigation platform, Human Security, will likely cripple the suddenly inflated cybercrime operation that has compromised over one million Android devices worldwide. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2226,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2225"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2225"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2225\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2226"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}