Google Targets Malware Affecting 10M Android Devices and Botnets

BadBox 2.0 Malware Threat

TV box with remote
Malware identified as "BadBox 2.0" has affected over 10 million Android devices, including various no-name TV streaming devices, tablets, and projectors. Google has initiated a lawsuit in New York to dismantle what it describes as a "criminal enterprise" operating as a botnet. The botnet, referred to as the "largest known botnet of internet-connected TV devices," poses a risk of being utilized for serious cybercrimes, including ransomware and DDoS attacks.

The malware proliferates through low-cost Android devices manufactured in China. It can be preinstalled or downloaded as Trojanized applications from unofficial app stores during setup. Hackers exploit these devices to sell access to cybercriminals, allowing them to conduct hacking activities in the U.S. and beyond. Google has identified several affected models, including Android TV boxes like X88 Pro 10, T95, MXQ Pro, and QPLOVE Q9. For a more comprehensive list, refer to Human Security.

Google's lawsuit claims the hackers, based in China, include at least 25 individuals or entities. The company is asking the court for a permanent injunction to cease operations related to the BadBox malware, which also generates fraudulent clicks for mobile ads. The legal action aims to disrupt the botnet by targeting the command-and-control servers that manage the malware's operations.

Legal Action Against Cybercriminals

Google's legal strategy involves pursuing a RICO case against the operators of the BadBox 2.0 botnet. The company seeks to shut down over 100 domains linked to the malware, which are hosted by major web service providers such as GoDaddy, Cloudflare, and Amazon. This legal route is considered necessary because traditional methods of using monitoring and ad account shutdowns have proven insufficient.

The lawsuit highlights the infrastructure behind the botnet, which includes various groups responsible for different criminal activities. The Infrastructure Group manages the command-and-control setup, while the Backdoor Malware Group develops the malware itself. Additionally, the Evil Twin Group creates fraudulent apps to generate ad revenue, and the Ad Games Group uses fake games for similar purposes.

Google's actions are prompted by the FBI's warning about BadBox 2.0 and its potential for large-scale ad fraud. The botnet has been described as a significant threat, particularly in regions like Brazil, the U.S., Mexico, and Argentina. For an overview of the botnet's impact, see The Hacker News.

Anatsa Malware in Google Play Store

Malware on phone
A different malware strain, named "Anatsa," infiltrated the Google Play Store by masquerading as a legitimate document viewer app. This Trojan, which garnered over 50,000 downloads before its removal, is designed to access banking applications covertly. ThreatFabric reported that the app initially appeared legitimate but was modified to deliver malicious updates that hijack access to U.S. mobile banking apps.

Anatsa can perform various malicious actions, including credential theft and keylogging, while displaying fake notifications to mislead users. This incident raises concerns about the effectiveness of Google Play Protect in safeguarding against apps that transition from legitimate to malicious post-download.

Google's security measures have been called into question, especially regarding the app's quick transformation into a threat approximately six weeks after its launch. This underscores the need for robust security practices to combat mobile malware threats effectively.

Importance of Advanced Security Solutions

The rising prevalence of malware like BadBox 2.0 and Anatsa highlights the critical need for advanced security solutions. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, which integrates networking and security across various environments—from endpoints and private networks to cloud, remote access, and containers.

Our offerings include: