Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Botnet of 190,000 BadBox-Infected Android Devices Discovered

Bitsight has discovered a BadBox botnet consisting of over 190,000 Android devices, mainly Yandex smart TVs and Hisense smartphones.

More than 190,000 Android devices have been observed connecting to newly uncovered BadBox botnet infrastructure, cybersecurity firm Bitsight reports.

The sinkholing of a BadBox domain has revealed that most of the infected devices are unique models not seen before, such as Yandex 4K QLED smart TVs and Hisense T963 smartphones, with Russia, China, India, Belarus, Brazil, and Ukraine affected the most.

Initially detailed in October 2023, the BadBox malware comes pre-installed on the firmware of low-cost Android-based devices, including TV boxes, smartphones, and other products, likely through a supply chain compromise.

Last year, Human Security identified over 70,000 infected devices being abused for various types of fraud and which could be turned into residential proxies. Last week, Germany’s cybersecurity agency found 30,000 BadBox bots after sinkholing the communication with a command-and-control (C&C) server.

Now, Bitsight warns of a new widespread BadBox infection involving more than 100,000 unique IPs associated with Yandex 4K QLED smart TVs, pointing out that this is the first time numerous high-end Android devices have been seen communicating with a BadBox C&C server.

Overall, the cybersecurity firm observed more than 160,000 unique IPs communicating daily with the server, with 98% of the traffic coming from Yandex smart TVs and Hisense T963 smartphones.

“BadBox exploits devices for activities such as residential proxying (using backdoored devices as exit points), remote code installation, account abuse, and ad fraud. One of its most dangerous features is the ability to install additional code/modules without the user’s consent, enabling threat actors to deploy new schemes,” Bitsight says.

According to the cybersecurity firm, the out-of-the-box BadBox infections suggest either that manufacturers could be involved, allowing remote attackers to install malicious code, or that the infection is performed during the development, manufacturing, shipping, and/or sales stages.

Advertisement. Scroll to continue reading.

“We cannot determine if these vectors are mutually exclusive in the case of BadBox,” Bitsight says, pointing out that it is crucial for consumers and enterprises to choose trusted brands and partners to keep their data and devices protected.

Related: Germany Sinkholes Botnet of 30,000 BadBox-Infected Devices

Related: Juniper Warns of Mirai Botnet Targeting Session Smart Routers

Related: Lots and Lots of Bots: Looking at Botnet Activity in 2021

Related: What Makes an Effective Anti-Bot Solution?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.