Researchers recently uncovered a resurgence of the BADBOX botnet, a sophisticated cybercriminal operation infecting Android devices like TVs and smartphones with malware.
This botnet, previously believed to be eradicated, now encompasses over 192,000 compromised devices, including 160,000 previously unseen models such as the Yandex 4K QLED Smart TV and the T963 Hisense Smartphone.
The expansion highlights the evolving nature of the threat, with supply chain attacks enabling pre-installed malware on devices sold through legitimate channels like Amazon, eBay, and AliExpress.
The botnet’s global reach is evident, with widespread infections observed in countries including Russia, China, India, Belarus, Brazil, and Ukraine.
It is likely derived from Triada and infects Android TV boxes during manufacturing or the supply chain. Upon boot, the compromised firmware establishes a connection to malicious infrastructure to download and execute a backdoor.
This backdoor enables remote code installation, allowing threat actors to deploy new payloads for various malicious activities such as residential proxying, account abuse, and ad fraud.
The stealthy nature of this firmware-level infection makes it difficult to remove, posing a significant security threat to users.
The coslogdydy[.]in domain analysis revealed that infected devices, primarily Yandex 4K QLED Smart TVs (models YNDX-00091 to YNDX-000102) and Instawall_T963 smartphones, are POSTing telemetry to a C2 server upon booting.
Over 160,000 unique IPs communicate daily with the domain, with the majority located in Russia and China. The YNDX Smart TVs are registered to a Yandex branch in Switzerland, while the Instawall_T963 smartphones are associated with Hisense in China.
The high volume of infected high-end devices suggests a broader scope of BADBOX infections beyond low-cost Android devices.
The investigation into BADBOX infrastructure looked for active communication channels. By analyzing previously known IP addresses, URI paths (like “/uploads/apk/20*_en.zip”) used for C2 communication, and SSL certificates, researchers discovered new suspicious domains.
These domains share naming patterns with known BADBOX domains (e.g., “log” wording, one-letter variations), and some even connect to the same IP addresses as known BADBOX servers, suggesting these newly identified domains might be part of the BADBOX botnet.
SSL thumbprinting creates a fingerprint for an SSL certificate using a hash function, allowing the identification of domains using the same certificate, as 36 domains share a self-signed SSL certificate with the thumbprint 5b3aa659cb8dece5c9a14d605c68a432b773969c.
While most domains lack an IP address, yydsmr[.]com and logcer[.]com are active and confirmed to be involved in BADBOX malware activity, while yydsmr[.]com has resolved over 2 million pDNS requests, indicating a large botnet volume.
According to BitSight, another domain, yydsmd[.]com, communicates via suspicious requests like /ota/api/conf/v1, potentially for malware check-ins.
BADBOX employs different custom encryption schemes depending on the URI path, and several other active domains respond with encrypted strings to URI requests, which suggest potential new adaptations or avenues for BADBOX schemes.