Thursday, January 23, 2025
HomeAndroidBADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

BADBOX Botnet Hacked 74,000 Android Devices With Customizable Remote Codes

Published on

SIEM as a Service

Follow Us on Google News

BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware before sale, which are often sold through reputable retailers and pose a significant threat to users due to their pre-installed malicious software, making detection challenging.

It previously thought eradicated has resurfaced with a significantly expanded reach, infecting over 192,000 Android devices, including smart TVs and smartphones from various manufacturers, primarily targeting users in Russia, China, India, Belarus, Brazil, and Ukraine. 

Stealthy Android TV malware, likely derived from Triada, compromises devices before sale, granting remote access to attackers, which was discovered in April 2023 and linked to the PEACHPIT botnet.

activity flow
activity flow

It leverages compromised devices for nefarious activities like proxying, remote code execution, and ad fraud, which can silently install additional malicious modules, enabling threat actors to launch new attacks. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The device, compromised by malicious firmware, automatically connects to a harmful network upon booting to receive and execute backdoors, which can then download and install additional malicious payloads without user authorization, enabling the attackers to carry out various undetected and evolving attacks.

POST telemetry
POST telemetry

Recent operations, such as the German disruption of 30,000 BADBOX-infected devices, have only temporarily slowed the botnet’s spread.

Bitsight’s sinkholing efforts revealed over 160,000 unique IPs, including 100,000 from high-end Yandex 4K QLED Smart TVs, demonstrating the botnet’s persistent threat and its expansion beyond low-cost devices.

The malware infected high-end Yandex 4K Smart TVs, compromising their security and enabling potential remote control, which marks a significant expansion of the malware’s target range beyond typical Android devices.

Yandex Smart TVs and T963 smartphones are compromised, with over 160,000 unique IPs communicating daily, which are linked to a recently registered Swiss Yandex branch, are leaking user data, as evidenced by the disclosed MAC addresses and increasing traffic volume.

OS: Android
OS: Android

YNDX Smart TVs dominate traffic, originating mostly from Russia. Hisense phones follow, with lower activity from other regions, which aligns with the limited sales reach of YNDX TVs, confirmed by the manufacturer’s website – they primarily target Russia and neighboring countries.  

An investigation linked IPs to BADBOX C2 domains through shared URI paths and identified new potential C2 domains by SSL thumbprint analysis. 

Currently active domains 
Currently active domains 

Two active domains showed BADBOX behavior and high pDNS requests, while others (yydsmd.com, etc.) used a different communication format (/ota/api/), suggesting a potential new BADBOX tactic. 

BADBOX malware, a global threat, leverages supply chains to infect various Android devices, including those from reputable brands like Yandex and Hisense, highlighting the growing sophistication of cybercriminals and the importance of vendor and partner trust to mitigate risks of data breaches and potential involvement in malicious activities. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...