More than 190,000 Android devices have been observed connecting to newly uncovered BadBox botnet infrastructure, cybersecurity firm Bitsight reports.
The sinkholing of a BadBox domain has revealed that most of the infected devices are unique models not seen before, such as Yandex 4K QLED smart TVs and Hisense T963 smartphones, with Russia, China, India, Belarus, Brazil, and Ukraine affected the most.
Initially detailed in October 2023, the BadBox malware comes pre-installed on the firmware of low-cost Android-based devices, including TV boxes, smartphones, and other products, likely through a supply chain compromise.
Last year, Human Security identified over 70,000 infected devices being abused for various types of fraud and which could be turned into residential proxies. Last week, Germany’s cybersecurity agency found 30,000 BadBox bots after sinkholing the communication with a command-and-control (C&C) server.
Now, Bitsight warns of a new widespread BadBox infection involving more than 100,000 unique IPs associated with Yandex 4K QLED smart TVs, pointing out that this is the first time numerous high-end Android devices have been seen communicating with a BadBox C&C server.
Overall, the cybersecurity firm observed more than 160,000 unique IPs communicating daily with the server, with 98% of the traffic coming from Yandex smart TVs and Hisense T963 smartphones.
“BadBox exploits devices for activities such as residential proxying (using backdoored devices as exit points), remote code installation, account abuse, and ad fraud. One of its most dangerous features is the ability to install additional code/modules without the user’s consent, enabling threat actors to deploy new schemes,” Bitsight says.
According to the cybersecurity firm, the out-of-the-box BadBox infections suggest either that manufacturers could be involved, allowing remote attackers to install malicious code, or that the infection is performed during the development, manufacturing, shipping, and/or sales stages.
“We cannot determine if these vectors are mutually exclusive in the case of BadBox,” Bitsight says, pointing out that it is crucial for consumers and enterprises to choose trusted brands and partners to keep their data and devices protected.
Related: Germany Sinkholes Botnet of 30,000 BadBox-Infected Devices
Related: Juniper Warns of Mirai Botnet Targeting Session Smart Routers
Related: Lots and Lots of Bots: Looking at Botnet Activity in 2021
