The 'Badbox' malware is far from dead and has now been found to infect Android-based Smart TVs, alongside Android TV boxes, smartphones, car entertainment systems and more.
Last year, security researchers discovered that over 20 million Android-based TV boxes running open source Android were infected with the so-called Badbox malware.
Efforts have been made to dismantle the botnet. For example, the German government got involved to combat the Badbox malware pre-installed on 30,000 devices in Germany.
Badbox is back
Unfortunately, it remains a cat-and-mouse game as a new Badbox variant has been uncovered by security researchers at Bitsight.
- "This botnet was presumed dead, after a push to stop its spread. However, not only is it still active, but it also appears to be larger and more versatile than previously anticipated," said Pedro Falé, Threat Researcher at Bitsight.
Infects Android-based Smart TVs
Expanding beyond Android TV boxes and mobile devices, the new Badbox malware now also targets Android-based Smart TVs. These are not the official Android TV or Google TV devices but rather devices built on open source Android (AOSP).
- "First, the models ranging from YNDX-00091 to YNDX-000102 are 4K Smart TVs from a well-known brand, not cheap Android TV boxes. It’s the first time a major brand Smart TV is seen directly communicating at such volume with a BADBOX command and control (C2) domain, broadening the scope of affected devices beyond Android TV boxes, tablets, and smartphones," explained Pedro Falé.
The countries most affected are Russia, China, India, Belarus, Brazil and Ukraine.
Also read: 1.3 million Android-based TV boxes affected by new 'Vo1d' malware
The new Badbox variant exploits devices for "residential proxying (using backdoored devices as exit points), remote code installation, account abuse, and ad fraud", according to the security researchers. The most concerning aspect is that new code can be remotely loaded onto devices without the user's knowledge. Further details are available in Bitsight's report here.
Google responds
Google has responded to the new findings saying that open source Android devices are not protected by its certification and security measures.
- "These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified," a Google Spokesperson told Android Headlines.
- Source: Bitsight via Android Headlines
