BADBOX Botnet Surges: Over 190,000 Android Devices Infected, Including LED TVs

The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over 192,000 systems globally.

Originally confined to low-cost and off-brand devices, the malware has expanded its reach to include well-known brands such as Yandex 4K QLED TVs and Hisense smartphones.

This alarming development highlights the growing risks of supply chain vulnerabilities in consumer electronics.

BADBOX malware is embedded directly into the firmware of affected devices, meaning that users unbox products already compromised.

Once connected to the internet, these devices immediately establish communication with command-and-control (C2) servers operated by cybercriminals.

The malware’s capabilities include turning infected devices into residential proxies, conducting ad fraud, stealing two-factor authentication codes, and installing additional malicious payloads.

Such activities not only compromise user security but also enable attackers to exploit the devices for broader cybercrime operations.

Supply Chain Compromise at the Core

Researchers believe BADBOX’s infiltration stems from supply chain attacks during manufacturing or distribution.

The malware is thought to be derived from the Triada family of Android malware, known for its stealthy backdoor operations.

Devices infected with BADBOX are sold through popular online retailers, making it nearly impossible for consumers to detect the threat before purchase.

A recent sinkhole operation by cybersecurity researchers revealed over 160,000 unique IPs attempting to connect to a single BADBOX C2 server within 24 hours.

This underscores the botnet’s rapid growth and widespread impact across countries such as Russia, China, India, Brazil, Belarus, and Ukraine.

Implications and Response

According to the Censys report, BADBOX’s ability to infect trusted brands raises serious concerns about supply chain integrity and device security.

The malware operates at a firmware level, making it nearly impossible for users to remove without replacing the entire firmware a task beyond most consumers’ capabilities.

German authorities recently disrupted part of the botnet by sinkholing one of its C2 servers, severing communication for approximately 30,000 devices in the country.

Experts recommend immediate action for affected users: disconnect compromised devices from networks and replace them if possible.

Manufacturers are urged to strengthen their supply chain security measures to prevent future incidents.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free