TZUTC: -0500   
   MSGID: 358.consprcy@1:2320/105 2c2ee493   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   BadBox malware hit after infecting over 500,000 Android devices   
      
   Date:   
   Thu, 06 Mar 2025 12:27:00 +0000   
      
   Description:   
   An undisclosed number of domains were sinkholed in strike against BadBox   
   malware.   
      
   FULL STORY   
      
   BadBox 2.0, the spiritual successor of the BadBox Android malware , has been   
   disrupted after cybersecurity experts from the HUMAN's Satori Threat   
   Intelligence team, together with multiple partners, removed dozens of   
   malicious apps from the Play Store, banned their developers, and sinkholed   
   communications for hundreds of thousands of infected devices.    
      
   The infected devices are Android Open Source Project devices, not Android TV   
   OS devices or Play Protect certified Android devices. All of these devices    
   are manufactured in mainland China and shipped globally, the researchers   
   explained.    
      
   In total, 24 malicious apps on the Play Store distributing BadBox 2.0 were   
   removed, and the developer accounts that uploaded these apps were banned from   
   the platform. HUMAN then also sinkholed an undisclosed number of domains,   
   effectively cutting off communications between the malware and the C2 servers   
   - so in other words, the devices are still infected, but the malware is   
   non-operational.   
      
   Sinkholing the domains    
      
   BadBox is a piece of malware that turns infected Android devices into   
   residential proxies. They are used in ad fraud, credential stuffing, and    
   other forms of cybercrime. Apparently, BadBox infected hundreds of thousands   
   of devices, from TV streaming boxes, to smart TVs, and smartphones. No one   
   knows exactly how these devices ended up being infected. Some believe they   
   were compromised in early production, while others claim BadBox was dropped   
   somewhere along the supply chain. In any case, these are overwhelmingly   
   low-price-point, off-brand, or uncertified devices.    
      
   German authorities recently disrupted the operation within its borders, but   
   that only sidetracked it a little. In the weeks following the operation,   
   BadBox grew to more than a million infected devices (although they were    
   mostly located outside Germany, in countries such as Brazil, the US, and   
   Mexico).    
      
   Given its size and resilience, security researchers from HUMAN dubbed it   
   BadBox 2.0. Now, together with Google, Trend Micro, The Shadowserver   
   Foundation, and other partners, HUMAN disrupted the new operation in multiple   
   ways.    
      
   As usual, the best way to defend against these attacks is to buy hardware and   
   software from reputable sources, keep the assets updated, and monitor for   
   malicious activity.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/badbox-malware-hit-after-infecting-over   
   -500-000-android-devices   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426