Together with Google, Trend Micro, The Shadowserver Foundation, and other partners, researchers from HUMAN’s Satori Threat Intelligence team were able to take down BadBox 2.0, the biggest network of compromised connected TV sets.
The BadBox malware typically comes pre-installed on TV streaming boxes, smart TVs, tablets, digital projectors, or smartphones, and it infects a botnet of off-brand Android devices. As a backup backdoor distribution method, threat actors in this instance also ran hundreds of versions of well-known programs. Thankfully, 24 malicious “evil twin” apps that were distributing this virus were found and taken down from the Google Play Store by HUMAN’s researchers.
They were successful in sink-holing communications to the malicious domains used by the hackers behind this effort, disrupting the botnet on more than 500,000 Android devices in total. In order to stop the compromised devices from contacting the command-and-control (C2) servers that the hackers have set up, the researchers have taken control of thousands of these BadBox 2.0 domains. This allows them to keep an eye on the connections and collect information on the botnet.

What is BadBox 2.0?
BadBox 2.0 is a malware-based botnet that commits fraud and other criminal activities using less expensive, off-brand Android handsets. In October 2023, the original BadBox virus was disabled or rendered dormant, having infected 74,000 devices.
This new version, BadBox 2.0, has infected more than 1 million devices according to HUMAN. The majority of the infections appear to be focused on Brazil (37.6%), followed by the U.S. (18.2%), Mexico (6.3%) and Argentina (5.3%).
The compromised devices, which include, among other things, video projectors, smartphones, tablets, smart TVs, and Android TV streaming boxes, frequently come with malware pre-installed by the manufacturer. Alternatively, malicious “evil twin” software or firmware downloads infect them and add them to the botnet. “The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices,” HUMAN said in a blog post.
How to protect yourself from BadBox 2.0
Google has already established a Play Protect enforcement rule to alert users and prevent the installation of apps linked to BadBox 2.0 on any certified Android devices, as well as deleted the dangerous apps found by HUMAN’s researchers from the Play Store.
BadBox cannot be completely removed, though, because the search engine behemoth is unable to disinfect Android devices that are not Play Protect. The very bottom of Human’s report, which is mentioned above, has a list of devices that are known to be impacted by the current version of BadBox. It is unlikely that you will be able to upgrade your gadget with clean firmware if it is on that list. Disconnecting that gadget from the internet or, better yet, switching it out for a certified device from a reliable manufacturer is your safest course of action.
“If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.” a Google spokesperson explained in a statement to BleepingComputer. “Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is one by default on devices with Google Play Services, is enabled.”
Avoid purchasing AOSP-based Android devices, such as off-brand TV boxes, that do not officially support Google Play Services if you want to be safe. Additionally, on whatever top streaming device you are using right now, always be sure to keep your firmware updated and apply the most recent security updates as soon as they are released.
Additionally, you should only use apps from the Google Play Store and other official app shops and refrain from sideloading them. Similarly, while not in use, Android TV devices can be made offline by disabling their remote access functions. If your devices have unintentionally joined a botnet, this might offer an additional layer of protection to safeguard your data and equipment.
Investing in one of the top mesh Wi-Fi systems with integrated security software or one of the best Wi-Fi routers may also be worthwhile.