ngCERT Cybersecurity Advisory on Increased ANDROID.BADBOX2 Malware

Advisory ID:   ngCERT-2025-080001

SUMMARY

ngCERT has identified malware tagged android.badbox2. The malware, also known as BadBox 2.0, is a large-scale Android malware supply chain threat which involves the pre-infection of consumer devices. The malware is embedded into the system firmware before the device reaches consumers, making it resistant to removal. Low-cost Android devices using the Android Open Source Project (AOSP), such as Android tablets, connected TV (CTV) devices, digital photo frames, phones etc., are often targeted.  This malware enables activities like remote code execution, account abuse, and ad fraud. Organisations and individuals are advised to stay vigilant and prioritise device hygiene to mitigate Android.BadBox2 risks.  

Probability:    High

Damage:        Critical

Platform(s): Android TV Boxes, Smart Projectors, Android Tablets, Digital Signage Players and Uncertified Smartphones

DESCRIPTION

Android.BadBox2 is a sophisticated malware campaign that targets uncertified Android devices, primarily those using the AOSP. The infection begins at the supply chain level, with malicious code embedded directly into system files such as ‘libanl.so’, before the device even reaches the user. In other cases, the malware spreads through “evil twin” apps, counterfeit versions of legitimate applications that are sideloaded from third-party sources. Once installed, the malware connects to remote Command and Control (C2) servers, downloads additional payloads, and enables remote access via a component called BB2DOOR. This allows attackers to control the device, update malware, or install new modules silently. Once active, the malware enlists the device into a global botnet used for fraudulent activity. Infected devices are transformed into residential proxy nodes, allowing attackers to route malicious traffic through victims’ home networks. The malware also engages in ad and click fraud by launching hidden browser sessions that load ads in the background, consuming data and battery without the user’s knowledge. With deep system integration, Android.BadBox2 can disable security features, avoid detection, and persist even through factory resets, thereby posing a serious threat to user privacy, network integrity, and global digital infrastructure.

CONSEQUENCES

Falling prey to these attacks could potentially lead to:

1. System compromise.
2. Unauthorised access to sensitive data.
3. Data exfiltration.
4. Reputational damage.
5. Service Disruption leading to potential Denial of Service (DoS).
6. Legal Implications. 

SOLUTION/MITIGATION

The following recommendations should be observed to mitigate risks:

1. Monitor network activity across all connected devices.
2. Update software, firmware, and operating systems regularly.
3. Avoid using unofficial app stores or sideloaded software.
4. Be wary of too-good-to-be-true streaming solutions.

HYPERLINK

• https://www.cepro.com/news/fbi-warns-of-badbox-2-0-botnet-threat-to-connected-homes-what-integrators-need-to-know/619127/
• https://www.ncsc.gov.ie/pdfs/AndroidBadbox2-0.pdf
• https://www.threatlocker.com/blog/google-lawsuit-targets-operators-of-badbox-2-0-in-major-botnet-disruption