Malware BadBox infects over 500,000 Android devices.

Cybersecurity experts from HUMAN and their collaborators have successfully dismantled the BadBox 2.0 botnet, which was the evolution of the Android malware known as BadBox. This operation included the removal of multiple malicious applications from the Play Store, as well as the banning of the responsible developers and the sinkholing of several domain addresses. The botnet primarily targeted low-cost, unknown-brand Android devices.

The researchers noted that the affected devices are those using the Android Open Source Project, but do not include Android TV OS devices or Play Protect certified devices. These devices are manufactured in China and distributed globally. In total, 24 malicious applications were removed from the store, and the accounts of the developers who published them were banned. Additionally, HUMAN proceeded to sinkhole an undisclosed number of domains, thereby interrupting communication between the malware and its control servers. Although the infected devices remain so, the malware can no longer operate.

BadBox turns infected Android devices into residential proxies, which are used in ad fraud and cyberattacks such as credential stuffing. It is estimated to have infected hundreds of thousands of devices, ranging from TV streaming boxes to smartphones. It has not been precisely determined how these devices were compromised, but some experts suggest they may have been affected during production or along the supply chain, particularly those that are very low-cost and uncertified.

Recently, German authorities had disrupted some of the activities of this botnet within their territory, although this only had a limited impact, as BadBox rose to infect over a million devices, primarily in countries like Brazil, the United States, and Mexico. Due to its extensive reach and resilience, HUMAN experts decided to name it "BadBox 2.0".

Together with Google, Trend Micro, The Shadowserver Foundation, and other partners, HUMAN carried out various actions to disrupt this operation. To protect against such threats, it is recommended to acquire hardware and software from trusted sources, keep them updated, and monitor for suspicious activities.