BADBOX is a cybercriminal operation that infects Android devices, like TV boxes and smartphones, with malware before they are sold. These devices, often sold through trusted retailers, pose a major threat due to their pre-installed malicious software, making detection difficult.
All about the attack
Once thought eradicated, the malware has resurfaced, infecting over 192,000 Android devices, including smart TVs and smartphones, mainly in Russia, China, India, Belarus, Brazil, and Ukraine.
Stealthy Android TV malware, likely from Triada, compromises devices before sale, giving attackers remote access. It was discovered in April 2023 and linked to the PEACHPIT botnet.
It uses compromised devices for proxying, remote code execution, and ad fraud, silently installing malicious modules for further attacks.
Compromised by malicious firmware, the device connects to a harmful network on boot, receiving and executing backdoors that install additional payloads for undetected attacks.
Recent operations, like Germany’s disruption of 30,000 BADBOX devices, have only temporarily slowed the botnet’s spread. Bitsight’s sinkholing uncovered over 160,000 unique IPs, including 100,000 from high-end Yandex 4K Smart TVs, showing the botnet’s expansion beyond low-cost devices.
The malware now targets Yandex TVs and T963 smartphones, compromising security and enabling remote control, while leaking user data through increasing traffic and exposed MAC addresses linked to a new Swiss Yandex branch.
YNDX Smart TVs, mostly from Russia, dominate traffic, followed by Hisense phones with lower activity from other regions, reflecting YNDX TV’s focus on Russia and nearby countries. An investigation linked IPs to BADBOX C2 domains via shared URI paths and identified new C2 domains through SSL thumbprint analysis.
Two active domains showed BADBOX behavior with high pDNS requests, while others, like yydsmd.com, used a different communication format, suggesting a new BADBOX tactic. BADBOX malware infects Android devices from trusted brands like Yandex and Hisense, highlighting the growing sophistication of cybercriminals and the need for strong vendor and partner trust to prevent data breaches and malicious activities.
Leave A Comment