Threat intelligence researchers have confirmed that one of the largest botnets of its kind ever detected has installed more than a million Android consumer devices with a backdoor to leverage a number of cyber attacks. This comes hot on the heels of reports of multiple vulnerabilities found in the Google Chrome web browser, a warning from YouTube not to watch a video that leads to creator credential theft, and zero-day attacks against Android smartphones being confirmed by Google. Here’s what Android users need to know and do.
One Million Android Devices Compromised By Backdoor Threat
An investigation by Human Security’s Satori Threat Intelligence and Research Team has revealed the frightening reach of a botnet operation, known as BADBOX 2 and as first reported by Wired, which it described as a complex fraud scheme targeting consumer devices. More than one million of them.
In collaboration with researchers at Google, Trend Micro and Shadowserver, the Satori team said that it had “partially disrupted a complex and expansive fraud operation.” That operation begins by installing backdoors on low-cost Android devices which then enables the attackers to remotely load various fraud and malware modules. “Once a fraud module is deployed,” the researchers said, “infected devices may become part of a botnet and subsequently have the capacity to conduct several attacks.” The list of attack types is as varied as it is long: programmatic ad fraud, click fraud, residential proxy services, account takeover, fake account creation, denial of service, malware distribution and one-time password compromise.
Android Devices Impacted By The BADBOX Botnet
The devices impacted by the BADBOX botnet campaign have a few things in common, namely that they are all Android-powered and all consumer oriented. They are also all lower-price-point off-brand, third-party, devices, the researchers said. These included:
- Uncertified tablets
- Connected TV boxes
- Digital projectors
All of these were Android Open Source Project devices and not Play Protect certified. A complete list of devices can be found in the indicators of compromise section of the Human Security report.
What Android Users Need To Do Now
According to the researchers, Google has already terminated the publisher accounts known to be associated with BADBOX 2.0 from the Google Ad ecosystem. I have reached out to Google for a statement. In the meantime, Google advises that Google Play Protect will warn users regarding any apps that exhibit behavior associated with BADBOX, and block these automatically. As such, Google recommends ensuring that any Android devices you have are Google Play Protect certified by taking a quick checkup.
