More Than 1 Million Android Devices Compromised By Hidden Backdoor

A team of cybersecurity researchers has uncovered and partially disrupted a large-scale fraud operation called BADBOX 2.0, which involved a botnet of over one million infected Android-based devices.

The operation, an evolution of the original BADBOX campaign exposed in 2023, relied on backdoors pre-installed on low-cost, uncertified consumer devices to facilitate cybercriminal activities.

The investigation, led by HUMAN’s Satori Threat Intelligence, revealed strong evidence linking the perpetrators behind BADBOX to the expansion of the BADBOX 2.0 scheme.

The researcher say that this scheme builds on the original BADBOX operation revealed in 2023 and represents the most extensive botnet of infected connected TV (CTV) devices ever identified, compromising over one million uncertified, low-cost Android devices worldwide.

BADBOX 2.0 exploits backdoors in consumer electronics such as off-brand tablets, CTV boxes, and digital projectors to deploy fraud modules remotely. These devices connect to command-and-control (C2) servers run by multiple cybercriminal groups.

The infection spreads through compromised supply chains, pre-installed malware, or third-party app downloads, enabling attackers to take control of unsuspecting users’ devices.

Once infected, these devices join a massive botnet used for fraud. Attackers exploit them for ad fraud by running hidden ads and faking engagement, click fraud by sending traffic to fake websites, and automated browsing to artificially boost web traffic.

The botnet also enables cybercriminals to sell access to infected devices’ IP addresses for residential proxy services. The researchers explain that this facilitates account takeovers, fake account creation, and bypassing authentication systems.

Additionally, compromised devices are used in DDoS attacks, malware distribution, and one-time password (OTP) theft, allowing attackers to hijack user accounts.

The BADBOX 2.0 malware manipulates user activity with hidden ads and automated browsing, creating fake engagement, generating fraudulent ad revenue, and disrupting the digital ad industry.

HUMAN researchers identified four main cybercriminal groups involved in the operation. SalesTracker Group managed the BADBOX infrastructure and its expansion, while MoYu Group developed the backdoor, operated the botnet, and ran a click fraud campaign.

Lemon Group was linked to residential proxy services and fraudulent online gaming websites, and LongTV developed malicious CTV applications to facilitate hidden ad fraud.

HUMAN and its partners have disrupted key parts of BADBOX 2.0 by monitoring its infrastructure and taking targeted action. Google removed BADBOX-affiliated publisher accounts and strengthened Google Play Protect to block associated malware at installation.

To reduce exposure, users are advised to check whether their devices are Google Play Protect certified and avoid uncertified Android devices.