China-based botnet operators, numbering 25, are being sued by Google for their alleged involvement with BadBox 2.0.
In a significant move to combat cybercrime, Google has filed a lawsuit against 25 unnamed individuals in China, accusing them of breaking into more than 10 million devices worldwide. The targeted devices include internet-connected TVs (CTVs), streaming devices, tablets, digital projectors, and aftermarket car infotainment systems, making the BadBox 2.0 botnet the largest known botnet of infected CTVs ever uncovered.
The botnet operates by exploiting devices primarily through pre-installed malware on uncertified AOSP (Android Open Source Project) devices. It uses a network of command and control (C2) servers to manage and instruct infected devices, a strategy that Google aims to disrupt by sinkholing these C2 domains if the court sides with them.
The BadBox 2.0 Enterprise is a complex operation involving multiple groups, as detailed in the lawsuit. The Infrastructure Group develops and manages the primary C2 servers and domains for BadBox 2.0. Meanwhile, the Backdoor Malware Group is responsible for pre-installing backdoors in the bots for operating a portion of the botnet and selling access to proxy devices.
The Ad Games Group is connected to a hidden web browser scheme conducted through infected devices that uses fraudulent "games" to generate ads. The Evil Twin Group creates apps for ad-fraud campaigns using malicious copies of legitimate apps to trick users and generate ads. All these threat-actor groups remain connected to each other through shared infrastructure and historical and current business ties.
The BadBox botnet has been involved in account takeovers, fake account creations, credential stealing, sensitive information exfiltration, and DDoS attacks. The botnet's secondary infrastructure, managed by the Enterprise, is used for monetization purposes, such as running malware, apps, and websites on the infected devices.
Human Security CEO Stu Solomon applauded Google's action in the lawsuit, stating it marks a significant step forward in the ongoing battle to secure the internet from sophisticated fraud operations. Gavin Reid, CISO at Human Security, expects there will be a BadBox 3.0, underscoring the importance of continued vigilance and collaboration in the fight against cybercrime.
Google, in collaboration with Trend Micro, Human Security, and the Shadowserver Foundation, has previously identified the C2 servers and domains directing the hijacked devices. The FBI has also issued a Public Service Announcement warning consumers that cybercriminals continue to exploit Android devices, suggesting that the botnet continues to expand.
[1] Google, Trend Micro, Human Security, and the Shadowserver Foundation. (n.d.). Google, Trend Micro, Human Security, and the Shadowserver Foundation Identify BadBox 2.0 Botnet. Retrieved from https://www.shadowserver.org/news/google-trend-micro-human-security-and-the-shadowserver-foundation-identify-badbox-2-0-botnet/
[2] Google. (2021). Google Sues 25 Individuals in China for Alleged Botnet Involvement. Retrieved from https://www.reuters.com/business/google-sues-25-individuals-china-alleged-botnet-involvement-2021-07-15/
[3] Krebs on Security. (2021). Google Sues Chinese Individuals Over Alleged Botnet. Retrieved from https://krebsonsecurity.com/2021/07/google-sues-chinese-individuals-over-alleged-botnet/
[4] ZDNet. (2021). Google Sues Chinese Individuals Over Alleged Botnet Involvement. Retrieved from https://www.zdnet.com/article/google-sues-chinese-individuals-over-alleged-botnet-involvement/
- The lawsuit filed by Google against 25 unnamed individuals in China involves allegations of cybersecurity breaches, with the accused being accused of breaking into over 10 million devices worldwide, including CTVs, streaming devices, tablets, digital projectors, and car infotainment systems.
- The BadBox 2.0 botnet, the largest known botnet of infected CTVs ever uncovered, operates primarily through pre-installed malware on uncertified AOSP devices and uses a network of command and control servers to manage infected devices.
- The BadBox 2.0 Enterprise, a complex operation involving multiple groups, includes the Infrastructure Group, responsible for managing primary C2 servers and domains, and the Backdoor Malware Group, which pre-installs backdoors in the bots for operating a portion of the botnet and selling access to proxy devices.
- The BadBox botnet, run by the Enterprise, is involved in account takeovers, fake account creations, credential stealing, sensitive information exfiltration, DDoS attacks, and is used for monetization purposes, such as running malware, apps, and websites on the infected devices.
