A major new wave of Android malware infections is rippling across the globe, driven by the expansion and adaptation of the BADBOX 2.0 botnet operation.
Threat analysts from HUMAN’s Satori Threat Intelligence and Research team, along with partners Google, Trend Micro, and others, have partially disrupted what is now the largest known botnet targeting Android-based Connected TV (CTV) devices, tablets, digital projectors, and other low-cost consumer electronics.
The BADBOX 2.0 campaign, which picks up where the original BADBOX left off, leverages persistent supply chain attacks through pre-installed backdoors and malicious apps on uncertified devices, primarily manufactured in China and distributed internationally.
Largest Connected TV Botnet Uncovered
BADBOX 2.0’s infection chain typically starts at the firmware or pre-installed application layer, embedding a backdoor in the device’s software stack.
This backdoor often implemented via a malicious Android Native Library (libanl.so) is loaded by a hidden system class (com.hs.app).
On initial boot, it contacts command-and-control (C2) servers, decrypts itself, and establishes persistence, then proceeds to download and execute additional fraud modules.
Unlike previous campaigns, BADBOX 2.0 has diversified its infection vectors, including both pre-installed malware and trojanized versions of popular apps disseminated via unofficial app marketplaces.
Once activated, the infected devices are conscripted into a botnet and can be remotely tasked by threat actors to execute a wide array of fraudulent and malicious activities.
These include programmatic ad fraud, click fraud, large-scale residential proxy services (subsequently abused for account takeover, fake account generation, DDoS attacks, and credential theft), as well as direct malware distribution.
Researchers have observed attack traffic from over 1 million infected devices in at least 222 countries and territories.
Notably, the infections are most prevalent in markets consuming affordable, uncertified Android Open Source Project (AOSP) devices, such as Brazil, the United States, Mexico, Argentina, and Colombia.
Supply Chain Attacks Fuel Global Spread
Four primary threat actor groups were detected as part of the BADBOX 2.0 operation, each specializing in various aspects of the campaign from infrastructure management (SalesTracker Group), backdoor development and botnet control (MoYu Group), residential proxy monetization and HTML5 game ad fraud (Lemon Group), to app-based ad fraud via CTV platforms (LongTV/Longvision Media).
These groups share C2 infrastructure and collaborate to maximize revenue and network resilience.
Technically, the BADBOX 2.0 backdoor (dubbed “BB2DOOR”) is distributed through several channels: directly pre-installed on device firmware, fetched from C2 servers on first boot, or sideloaded by users as part of seemingly legitimate apps.
Upon activation, BB2DOOR downloads additional .jar payloads responsible for maintaining device persistence and executing remote instructions.
The modular architecture enables threat actors to upgrade functionality, adapt tactics, and propagate new fraud modules quickly.
Security researchers highlighted an extensive array of device models compromised by BADBOX 2.0, ranging from CTV boxes (e.g., X96Q, TX3mini, KM series) and tablets to digital projectors and infotainment systems.
Google, in collaboration with industry partners, has responded by enhancing Google Play Protect’s detection rules: Play Protect now automatically blocks known BADBOX variants during installation on certified devices, even if the source is outside the Play Store.
Additionally, Google has terminated publisher accounts implicated in the scheme to curb ad fraud monetization.
Despite ongoing disruption efforts, the underlying threat persists due to the foundational supply chain vulnerabilities. Users are advised to verify their devices’ Google Play Protect certification and avoid installing apps from unofficial sources.
The multifaceted nature of BADBOX 2.0 demonstrates modern cybercriminals’ ability to coordinate, share resources, and rapidly adapt necessitating ongoing vigilance and collaborative defense across the cybersecurity ecosystem.
Indicators of Compromise (IoCs)
| Category | Value/Example |
|---|---|
| Device Models | X96Q, TX3mini, X96mini, KM1, Xtv77, NETBOX_B68, Projector_T6P, A15, etc. (see below) |
| C2 Domains (Sample) | catmore88.com, cbpheback.com, long.tv, app-goal.com, ipmoyu.com, wildpettykiwi.com, etc. |
| Malicious Libraries | libanl.so |
| Key Classes/Methods | com.hs.app, com.hs.cld.Main |
| Malicious Payloads | p.jar, q.jar |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
