More Than 1 Million Android Devices Compromised By Hidden Backdoor

A team of cybersecurity researchers has uncovered and partially disrupted a large-scale fraud operation called BADBOX 2.0, which involved a botnet of over one million infected Android-based devices.

The operation, an evolution of the original BADBOX campaign exposed in 2023, relied on backdoors pre-installed on low-cost, uncertified consumer devices to facilitate cybercriminal activities.

The investigation, led by HUMAN’s Satori Threat Intelligence and Research team in collaboration with Google, Trend Micro, Shadowserver, and other partners, revealed strong evidence linking the perpetrators behind BADBOX to the expansion of the BADBOX 2.0 scheme.

This scheme builds on the original BADBOX operation revealed in 2023 and represents the most extensive botnet of infected connected TV (CTV) devices ever identified, compromising over one million uncertified, low-cost Android devices worldwide.

BADBOX 2.0 exploits backdoors in consumer electronics such as off-brand tablets, CTV boxes, and digital projectors to deploy fraud modules remotely. These devices connect to command-and-control (C2) servers run by multiple cybercriminal groups.

The infection spreads through compromised supply chains, pre-installed malware, or third-party app downloads, enabling attackers to take control of unsuspecting users’ devices.

Once infected, these devices become part of a vast botnet used for fraudulent activities. Attackers use them for ad fraud by running hidden ads and simulating engagement, click fraud by directing traffic to fake domains, and automated browsing to inflate website traffic.

The botnet also enables cybercriminals to sell access to infected devices’ IP addresses for residential proxy services, facilitating account takeovers, fake account creation, and bypassing authentication systems.

Additionally, compromised devices are used in DDoS attacks, malware distribution, and one-time password (OTP) theft, allowing attackers to hijack user accounts.

The malware powering BADBOX 2.0 manipulates user behavior and engagement metrics through hidden ads and automated browsing, generating fraudulent ad revenue and distorting the digital advertising ecosystem.

HUMAN researchers identified four main cybercriminal groups involved in the operation. SalesTracker Group managed the BADBOX infrastructure and its expansion, while MoYu Group developed the backdoor, operated the botnet, and ran a click fraud campaign.

Lemon Group was linked to residential proxy services and fraudulent online gaming websites, and LongTV developed malicious CTV applications to facilitate hidden ad fraud.

HUMAN and its partners have disrupted key parts of BADBOX 2.0 by monitoring its infrastructure and taking targeted action. Google removed BADBOX-affiliated publisher accounts and strengthened Google Play Protect to block associated malware at installation.

To reduce exposure, users are advised to check whether their devices are Google Play Protect certified and avoid uncertified Android devices.

Despite these efforts, the cybercriminals behind BADBOX 2.0 continue to adapt and exploit vulnerabilities in the digital ecosystem. HUMAN and its partners remain committed to tracking these evolving threats and protecting consumers and the advertising industry from further harm.