Badbox 2.0 malware is infecting a million Android devices right now

Human Security’s Satori research team has reported the resurgence of the Badbox botnet, now powered by up to a million infected Android devices. This variant of the remote-controllable Badbox malware has been identified in various off-brand hardware, including cheap Android phones, connected TV boxes, tablets, and digital projectors.

The initial outbreak of Badbox occurred in 2023, involving off-brand Android-powered internet-connected TV devices that participated in a large ad-fraud scheme named Peachpit, with approximately 74,000 devices involved in the first cluster. Badbox 2.0 targets devices running the Android Open Source Project (AOSP) and has now spread to about a million devices across over 220 countries.

Gavin Reid, CISO of Human Security, explained that the botnet’s operators often tamper with the supply chain by purchasing inexpensive hardware, rebadging it, and embedding malicious code into firmware or popular apps, which are then sold to consumers. More than 200 apps containing malware associated with the botnet have been discovered, mainly hosted on third-party Android app stores, often replicating legitimate applications from the Google Play Store to deceive users into downloading them.

“The Badbox 2.0 scheme is bigger and far worse than what we saw in 2023,” Reid stated, highlighting the increase in device types targeted and the complexity of the fraud mechanisms employed. The network has produced traffic from 222 countries and territories since the botnet’s resurgence last autumn.

The monetization of this botnet involves hidden ad views and ad-click fraud, disguised effectively to evade detection. Lindsay Kaye, vice president of threat intelligence at Human Security, noted that the operators of the botnet conceal their fraudulent intentions by interspersing real traffic with illicit activities from infected households, making detection by ad networks significantly more challenging.

Besides ad fraud, the malware also poses risks such as password theft and potential for denial-of-service attacks. At its peak, Badbox 2.0 infected nearly a million devices, but this number has been reduced by half due to efforts from Human Security, Google, Trend Micro, and Shadowserver Foundation, who identified and shut down several command-and-control servers managing the botnet.

Kaye indicated that the malware was caught in its developmental phase, with many modules labeled “test.” Despite this, there are concerns about the possibility of the botnet’s revival, similar to prior incidents following the discovery of the original Badbox network. Devices affected by Badbox 2.0 are primarily manufactured in China, with some reportedly used in public schools in the U.S.

BADBOX botnet infects over 192,000 Android devices worldwide

In December 2024, Germany’s BSI initiated a disruption campaign that sinkholed communications from over 30,000 infected devices to their command-and-control servers but soon uncovered another larger group of over 190,000 devices. The Badbox 2.0 operation exploits supply chain vulnerabilities, where backdoored devices receive malicious code upon activation or downloading from third-party marketplaces.

The identified threat actors include the SalesTracker Group, MoYu Group, Lemon Group, and LongTV, indicating collaborative efforts among distinct malicious actors, pooling resources to enhance the fraud operation.

To mitigate the threat, ad fraud prevention measures were implemented, and Google’s Play Protect added detection capabilities for Badbox-associated behaviors. There remains a persistent threat from these operators as they are likely to adapt and reconstruct their attack strategies.

Users are advised to remain vigilant, especially against certain malicious applications such as ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator,’ which have been linked to the malware. Installing a robust security solution can further protect Android devices from the risks posed by the Badbox botnet.

Featured image credit: Kerem Gülen/Ideogram