{
	"id": "3e65320f-6fa5-4a40-a199-640aed31d415",
	"created_at": "2026-04-06T00:19:27.315219Z",
	"updated_at": "2026-04-10T03:20:18.710852Z",
	"deleted_at": null,
	"sha1_hash": "ed9ac8e29ad4ea2a29bed5a63bb89ca33939e73a",
	"title": "BadBox malware botnet infects 192,000 Android devices despite disruption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2084927,
	"plain_text": "BadBox malware botnet infects 192,000 Android devices despite\r\ndisruption\r\nBy Bill Toulas\r\nPublished: 2024-12-19 · Archived: 2026-04-05 21:28:58 UTC\r\nThe BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole\r\noperation that attempted to disrupt the operation in Germany.\r\nResearchers from BitSight warn that the malware appears to have expanded its targeting scope beyond no-name Chinese\r\nAndroid devices, now infecting more well-known and trusted brands like Yandex TVs and Hisense smartphones.\r\nThe BadBox malware botnet\r\nBadBox is an Android malware thought to be based on the 'Triada' malware family, infecting devices made by obscure\r\nmanufacturers either through supply chain attacks on their firmware, shady employees, or through injections taking place as\r\nthey enter the product distribution phase.\r\nhttps://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIt was first discovered on a T95 Android TV box purchased from Amazon by Canadian security consultant Daniel Milisic in\r\nearly 2023. Since then, the malware operation has expanded to other no-name products sold online.\r\nThe goal of the BadBox campaign is financial gain, which is achieved by turning the device into a residential proxy or using\r\nit to perform ad fraud. These residential proxies can then be rented to other users, in many cases cybercriminals, who use\r\nyour device as a proxy to conduct attacks or other fraudulent activity.\r\nAdditionally, the BadBox malware can be used to install additional malicious payloads onto Android devices, enabling more\r\ndangerous operations.\r\nMalware activity flow\r\nSource: BitSight\r\nLast week, Germany's Federal Office for Information Security (BSI) announced they disrupted the BadBox malware\r\noperation in the country after it sinkholed one of the malware's command and control servers, cutting off communication for\r\n30,000 Android devices.\r\nThese devices were primarily Android-based digital picture frames and media streaming boxes, but BSI warned that it's very\r\nlikely that BadBox is present in more product categories.\r\nBadBox continues to grow\r\nThe new report from BitSight confirms that the BadBox operation has continued to grow despite Germany's police action,\r\nwith researchers finding the Android malware installed on 192,000 TVs and smartphones.\r\nAccording to BitSight researcher Pedro Falé, the cybersecurity company was able to sinkhole one of the command and\r\ncontrol servers used by the BadBox malware operation.\r\nhttps://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nPage 3 of 5\n\nAs the researchers now control the domain, they can see when devices attempt to connect to it, allowing them to see how\r\nmany unique IP addresses are impacted.\r\n\"The reality is that BADBOX still seems to be very much alive and spreading,\" wrote Falé.\r\n\"This was evident when Bitsight managed to sinkhole a BADBOX domain, registering more than 160,000 unique IPs in a\r\n24 hour period. A number that has been steadily growing.\"\r\nThe number of detected devices is much higher than what was previously considered the peak for this botnet, at around\r\n74,000 compromised devices.\r\nRoughly 160,000 of the infected devices are the Yandex 4K QLED Smart TV, which is very popular in Russia, and the\r\nHisense T963 smartphone.\r\n\"The [impacted] models ranging from YNDX-00091 to YNDX-000102 are 4K Smart TVs from a well-known brand, not\r\ncheap Android TV boxes,\" explains BitSight.\r\n\"It's the first time a major brand Smart TV is seen directly communicating at such volume with a BadBox command and\r\ncontrol (C2) domain, broadening the scope of affected devices beyond Android TV boxes, tablets, and smartphones.\"\r\nThe devices detected by BitSight are primarily located in Russia, China, India, Belarus, Brazil, and Ukraine.\r\nLocation of devices communicating with the BadBox servers\r\nSource: BitSight\r\nBitSight also reports that BSI's recent operation did not impact its telemetry data, as the action was geographically limited,\r\nallowing the BadBox Android malware operation to continue unabated.\r\nWith BadBox expanding to more major brands, it's crucial for consumers to apply the latest firmware security updates,\r\nisolate their smart devices from more critical systems, and disconnect them from the internet when not in use.\r\nHowever, if no security or firmware updates are available for your device, you are strongly advised to disconnect them from\r\nyour network or turn them off altogether.\r\nSigns of a BadBox botnet infection include overheating and performance drops from high processor usage, atypical network\r\ntraffic, and changes in the device settings.\r\nA Google spokesperson has sent BleepingComputer the following comment regarding the above story:\r\n\"These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device\r\nisn't Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect\r\ncertified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm\r\nwhether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides\r\nhttps://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nPage 4 of 5\n\nthe most up-to-date list of partners. You can also take these steps to check if your device is Play Protect\r\ncertified.\" - A Google spokesperson\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nhttps://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infects-192-000-android-devices-despite-disruption/"
	],
	"report_names": [
		"badbox-malware-botnet-infects-192-000-android-devices-despite-disruption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434767,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed9ac8e29ad4ea2a29bed5a63bb89ca33939e73a.pdf",
		"text": "https://archive.orkl.eu/ed9ac8e29ad4ea2a29bed5a63bb89ca33939e73a.txt",
		"img": "https://archive.orkl.eu/ed9ac8e29ad4ea2a29bed5a63bb89ca33939e73a.jpg"
	}
}