The BADBOX botnet has infected over 192,000 Android devices worldwide, expanding from low-cost brands to major ones like Yandex TVs and Hisense phones, exposing supply chain risks.
BADBOX Botnet
BADBOX malware is pre-installed in device firmware, meaning products are infected right out of the box. Once online, they connect to cybercriminals’ C2 servers.
The malware turns devices into proxies, commits ad fraud, steals 2FA codes, and installs more malware, putting users at risk and enabling larger cybercrimes.
Researchers link BADBOX to supply chain attacks during manufacturing or distribution. Likely derived from Triada malware, it operates stealthily. Infected devices are sold online, making detection before purchase nearly impossible.
A sinkhole operation found over 160,000 unique IPs connecting to a BADBOX server in 24 hours, highlighting its rapid spread across Russia, China, India, Brazil, Belarus, and Ukraine.
Implications and Response
The Censys report highlights BADBOX’s threat to supply chain security and device integrity. Operating at the firmware level, it is nearly impossible to remove without a full firmware replacement. German authorities disrupted part of the botnet, cutting off 30,000 devices.
Experts advise users to disconnect and replace infected devices. Manufacturers must improve supply chain security to prevent future attacks.
IOCs – BADBOX Botnet
IPs
139.162.36[.]224
139.162.40[.]221
143.42.75[.]145
172.104.186[.]191
192.46.227[.]25
bluefish[.]work
www.bluefish[.]work
cool.hbmc[.]net
giddy[.]cc
www.giddy[.]cc
jolted[.]vip
joyfulxx[.]com
msohu[.]shop
www.msohu[.]shop
mtcpuouo[.]com
www.mtcpuouo[.]com
pasiont[.]com
sg100.idcloudhost[.]com
www.yydsmb[.]com
www.yydsmd[.]com
ztword[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment