HUMAN’s Satori Threat Intelligence and Research team has unveiled a sophisticated cyberattack known as “BADBOX 2.0,” representing a significant evolution from the previously identified BADBOX operation. This advanced botnet has successfully infiltrated over 1 million consumer devices globally, with a notable number compromised through 24 malicious applications available on the Google Play Store. Central to the BADBOX 2.0 operation is a backdoor referred to as BB2DOOR, which grants threat actors persistent privileged access to the infected devices.
The distribution of this backdoor occurs primarily through pre-installed applications on low-cost, off-brand Android Open Source Project devices, as well as via downloads from various third-party marketplaces.
Multiple Threat Actor Groups Collaborate in Complex Scheme
In their investigation, researchers identified four distinct threat actor groups involved in the BADBOX 2.0 operation: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. These groups engage in collaborative efforts, sharing infrastructure and targeting methodologies to enhance the botnet’s reach and effectiveness. The operation facilitates a range of fraudulent schemes, including:
- Residential proxy services: Infected devices serve as proxy nodes, enabling attackers to obscure their true IP addresses.
- Programmatic ad fraud: Hidden advertisements are rendered on devices, while concealed WebViews navigate to HTML5 game websites, generating fraudulent ad impressions.
- Click fraud: Infected devices are manipulated to visit low-quality domains and click on advertisements.
At its peak, the hidden ads scheme associated with BADBOX 2.0 was responsible for generating an astounding 5 billion fraudulent bid requests each week.
Disruption Efforts and Ongoing Threats
According to the report, HUMAN has collaborated closely with Google and other partners to disrupt the BADBOX 2.0 operation. Google has taken decisive action, terminating publisher accounts linked to the operation and implementing protective measures through Google Play Protect. However, the adaptability of the threat actors suggests they may relaunch their operations, as the supply chain that facilitates the implantation of backdoors remains largely intact. Users are advised to limit their app downloads to official marketplaces to mitigate the risk of infection. The investigation into BADBOX 2.0 underscores the growing sophistication of cybercriminal collaborations and highlights the pressing need for robust, collective defense strategies within the cybersecurity industry.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
