BadBox 2.0: Everything you need to know about the largest malware campaign targeting Android and IoT

  • BadBox 2.0 turns Android and IoT devices into nodes for criminal networks.
  • Infection can occur prior to purchase or during the installation of unofficial apps.
  • The botnet primarily targets low-cost devices without Play Protect certification.
  • Detecting and eradicating malware is very complex, so prevention is key.
Joaquin Romero

10 minutes

BadBox 2.0: the malware that threatens IoT systems

The security of our home devices has never been more in question than it is right now. A sophisticated new malware, dubbed BadBox 2.0, has alerted millions of Android users that, perhaps unknowingly, they may be unwittingly collaborating with international cybercrime networks. This phenomenon has reached such proportions that even the FBI and leading cybersecurity organizations have issued public warnings to try to curb its spread.

In this article, we'll tell you everything you need to know about BadBox 2.0: how it works, which devices are most vulnerable, how to recognize if one of your devices is infected, and, most importantly, how you can effectively protect yourself. We compile and analyze information published by leading technology media outlets, security organizations, and government agencies to offer you a comprehensive, detailed, yet engaging and straightforward look at the threat this new malware poses to connected homes.

What is BadBox 2.0 and why has it compromised Android security?

BadBox 2.0 is a dangerous evolution of previous malware campaigns targeting the Android ecosystem and, in particular, Internet of Things (IoT) devices. Far from being a simple passing virus, this is a global campaign that has compromised more than a million devices worldwide, and the number continues to rise. The main feature that makes BadBox 2.0 so problematic is its ability to transform ordinary devices into nodes of a criminal proxy network (a botnet) without the owner noticing anything out of the ordinary.

SuperCard
Related article:
New Android malware that copies NFC cards

Unlike other malware, BadBox 2.0 is not limited to infecting mobile phones or tablets. The greatest danger lies in the fact that it attacks all types of connected devices: TV streaming boxes, digital photo frames, projectors, vehicle infotainment systems, and smart TVs, especially those manufactured in China without official certification, which are often purchased at very attractive prices on e-commerce platforms.

How does it manage to infect so many devices?

BadBox 2.0 malware that threatens the Internet of Things

BadBox 2.0's modus operandi is twofold and extremely insidious. On the one hand, many infections occur before the consumer even has the product in their home. In other words, malware comes pre-installed at the factory, exploiting gaps in the supply chain of unscrupulous or poorly protected manufacturers. Thus, anyone can buy a seemingly new device, turn it on, and, by simply connecting it to the internet, unknowingly become part of a botnet.

The second major attack vector occurs during the initial setup of the equipment. In many cases, the device itself or the original apps suggest (or even force) the installation of apps from unofficial or untrustworthy sources. These apps may contain backdoors that facilitate the entry of malware. Once infected, the device begins to receive remote commands from cybercriminals and can be used for various illegal activities.

What is the threat and what do hackers do with infected devices?

The main danger lies in the fact that these zombie devices are part of a hidden proxy network. Criminals can divert their own malicious traffic through the connection of infected devices, masking their true identity and making it difficult for law enforcement to track them. This makes it appear that certain attacks, fraud, or unauthorized access originate from innocent users rather than criminals.

The capabilities of the BadBox 2.0 malware go far beyond simply redirecting traffic:

  • Full remote control on the device: Attackers can execute commands, modify parameters, and load other programs.
  • Data theft: Access credentials, one-time passwords (OTP), personal data and any type of stored information can be stolen.
  • Creation of fake accounts in messaging or email services, subsequently used for disinformation campaigns, scams or identity theft.
  • Ad fraud and click manipulation: Malware can invisibly load ads and automatically trigger clicks, generating revenue for the attackers and altering the metrics of websites and advertising campaigns.
  • Installing additional payloads: The infected computer can be used as a springboard to download and install other, more dangerous malware, including those that specialize in spying or stealing more information.
  • Credential stuffing: Using the user's IP address, attempts are made to access other accounts with stolen credentials.

All this happens while the device continues to function apparently normally. If that's not enough, the owner may notice poor performance, strange ads, or abnormal bandwidth usage on their home network, but they are unlikely to suspect what is actually happening in the background.

Which devices are in the spotlight?

The most vulnerable are devices based on the Android Open Source Project without Google's Play Protect certification. That is, they are not the usual smartphones from well-known brands, but rather generic tablets, TV boxes, television decoders, and digital projectors from Chinese factories that do not pass Google's strict controls.

Some of the models detected as infected by various investigations and by the FBI itself include:

  • Models: TV98, X96 Max, X96mini, X96Q, X96Q2, X96MATE_PLUS, X96Max_Plus2, TV Box
  • Digital frames and multimedia systems for vehicles from the Chinese market.
  • Television decoders, unbranded tablets, and low-cost or unrecognizable brand smart TVs.

In many cases, these products are sold through global platforms like Amazon, at very low prices that are often irresistible to the average consumer. The worrying thing is that some even boast the “Amazon's Choice” seal, which can be misleading.

How is BadBox 2.0 distributed globally?

The international reach of BadBox 2.0 is overwhelming. Cybersecurity experts have tracked the botnet's spread to more than 200 countries and territories, with a particular impact in Brazil (37,6% of compromised devices), the United States (18,2%), Mexico (6,3%), and Argentina (5,3%). This global distribution is closely linked to the manufacturing and marketing chains of low-cost electronic products, which, once manufactured in China, are sold through online stores anywhere in the world.

Despite attempts to disrupt the malware's command and control infrastructure, the threat remains active and expanding. By early 2024, a collaboration between Google, Trend Micro, Human Security, and The Shadowserver Foundation successfully took down more than half a million infected devices using advanced techniques, but the constant stream of newly infected products keeps the problem alive.

Main symptoms of infection: How do you know if you have BadBox 2.0?

Detecting BadBox 2.0 is not an easy task, But there are several warning signs that can put you on notice.:

  • Requests to disable Google Play Protect during the initial setup of the device.
  • The device comes from a unknown or disreputable brand and often their packaging looks generic.
  • promises of free access to premium or blocked content (such as “unlocked device” or “free streaming”).
  • Recommendations or even obligations to download apps from unofficial stores or suspicious links outside the Google Play Store.
  • Unexplained internet traffic spikes or unusual activity on your home network, which do not correspond to the actual use of the devices.
  • Additional announcements or changes to the smart TV behavior or connected devices.

These signs are not definitive proof, but they should encourage you to take extreme precautions and take immediate action.

Why is BadBox 2.0 so difficult to remove?

One of the most disturbing issues is that BadBox 2.0 usually resides on the firmware partition which is read-only., which means that neither factory resets nor conventional antivirus applications can remove it in most cases. The only realistic solution is usually to contact the manufacturer and request (if available) a security patch or firmware update that will eradicate the malware.Unfortunately, on generic or unsupported devices, this is little short of mission impossible.

What to do if you suspect you have an infected device?

If you have doubts about the integrity of any equipment in your home, The most prudent thing is to isolate it from the home network by disconnecting it from Wi-Fi or the cable.This will prevent it from acting as a node within the botnet and minimize the risks to other connected devices in your home.

If suspicious activity is detected, The FBI recommends restricting the device's internet access and, if possible, quarantining it away from your primary network.If possible, contact the manufacturer to request a solution and stay tuned for critical firmware updates. You can also file a report with the appropriate authorities if you suspect the incident affects your privacy or digital security.

Best practices and measures to keep you safe from BadBox 2.0

In the face of such a persistent and sophisticated threat, prevention is your best ally. We recommend following these steps to minimize your exposure to BadBox 2.0 and other similar malware campaigns:

  • Be wary of bargainsExtremely cheap devices, from unrecognizable brands and sold without clear information are usually the most exposed.
  • Buy only devices from reputable manufacturers that offer official certifications., especially Google Play Protect on Android devices.
  • Do not download applications from unofficial stores. Always stay on the Play Store or App Store if you're an Android or Apple user.
  • Monitor your home network traffic and periodically check the connected devices.
  • Keep all your equipment and the router itself updated with the latest security patches..
  • Disable and remove suspicious devices or who present symptoms of infection without any apparent technical explanation.
  • Use specialized tools such as Bitdefender Mobile Security or home network protection solutions (e.g., NETGEAR Armor) that can help you detect anomalous behavior.

The role of manufacturers, platforms, and users in the fight against BadBox 2.0

Although the ultimate responsibility for protection lies with the user, Manufacturers and sales platforms must also exercise more rigorous control over the supply chain and the origin of the software.Collaboration with cybersecurity companies and the rapid issuance of alerts when a new case is detected are essential to stopping the spread of campaigns like BadBox 2.0.

Furthermore, collaborative work between government agencies (such as the FBI), manufacturers, cybersecurity experts, and e-commerce platforms is key to identifying dangerous products, removing them from the market, and sharing relevant information with consumers.

Malware in Spain
Related article:
FakeUpdates malware: A real threat in Spain: spread, techniques, and how to protect yourself

This malware exemplifies how threats evolve as rapidly as the technologies we incorporate into our daily lives. Staying informed, being cautious when purchasing and configuring devices, and regularly reviewing the security of our home networks are essential steps to protect ourselves against threats that, although invisible, can turn us into victims or even unwitting participants in the most sophisticated digital crimes. Share the information and more users will learn about this malware..