HUMAN’s Satori Threat Intelligence and Research team has uncovered a complex malware operation dubbed “BADBOX 2.0,” which has infected over 1 million consumer devices worldwide.
This operation, an expansion of the previously disclosed BADBOX threat, primarily targets low-cost, off-brand Android Open Source Project devices with a sophisticated backdoor.
The BADBOX 2.0 operation begins with the installation of a backdoor, dubbed BB2DOOR by researchers, which provides threat actors with persistent privileged access to infected devices.
This backdoor is distributed through three primary channels: pre-installation on devices, retrieval from command-and-control (C2) servers upon first boot, and downloads from third-party marketplaces by unsuspecting users.
Residential Proxy Services and Ad Fraud Schemes Enabled by Backdoor
The malware operation involves four distinct threat actor groups: SalesTracker Group, MoYu Group, Lemon Group, and LongTV.
These groups collaborate and share infrastructure to carry out various fraud schemes, including the sale of residential proxy services, programmatic ad fraud, and click fraud.
One of the most concerning aspects of BADBOX 2.0 is its distribution through seemingly legitimate apps on the Google Play Store.
Researchers identified 24 “evil twin” apps with corresponding “decoy twin” apps in the Play Store, sharing package names to give the appearance of legitimate ad requests.
These apps, which have accumulated over 50,000 downloads, generate fraudulent ad traffic primarily from BADBOX 2.0-infected devices.
The malware’s capabilities extend beyond ad fraud. Infected devices can be used as part of a botnet to conduct various attacks, including account takeover attempts, fake account creation, DDoS attacks, and malware distribution.
The residential proxy services offered by the threat actors further facilitate these downstream attacks by masking the true origin of malicious activities.
According to the Report, HUMAN has worked closely with Google and other partners to disrupt the BADBOX 2.0 operation.
Google has taken action to terminate publisher accounts associated with BADBOX 2.0 from its ad ecosystem and has implemented measures to protect users through Google Play Protect.
However, the threat actors may adapt and relaunch their operations, highlighting the need for continued vigilance and research to address vulnerabilities in the supply chain that enable such large-scale threats.
The BADBOX 2.0 investigation underscores the increasing sophistication of cybercriminal operations and the importance of collaborative efforts in cybersecurity.
As threat actors continue to band together and share resources, organizations must adopt a collective approach to protect against evolving threats that span the entire customer journey, from advertising to website visits and logins.
