HUMAN Security’s Satori Threat Intelligence team has recently unveiled a sophisticated malware operation known as “BADBOX 2.0,” which has successfully compromised more than 50,000 Android devices through a network of 24 deceptive applications. This operation marks a significant escalation from the original BADBOX campaign that was first detected in 2023. Researchers collaborated with industry giants such as Google, Trend Micro, and Shadowserver to partially disrupt this ongoing threat.
The malware primarily targeted low-cost, “off-brand” Android Open Source Project devices. These include a variety of connected devices such as TV boxes, tablets, digital projectors, and vehicle infotainment systems. The infection process was facilitated by a sophisticated backdoor, aptly named “BB2DOOR,” which granted the threat actors persistent privileged access to the compromised systems.
In their investigation, the Satori Threat Intelligence team identified four distinct groups of threat actors involved in this operation: the SalesTracker Group, MoYu Group, Lemon Group, and LongTV. These groups exhibited a high level of cooperation, utilizing shared infrastructure and business connections to orchestrate multiple fraud schemes, including residential proxy services, programmatic ad fraud, and click fraud.
The backdoor functioned by loading a malicious library, known as libanl.so, which activated various fraud mechanisms on the infected devices. Once engaged, the code would download and install several files that maintained communication with command-and-control servers.
.class public Lcom/hs/App;
.super Landroid/app/Application;
.source "SourceFile"
.method static constructor ()V
.locals 2
invoke-static {}, Ljava/util/concurrent/Executors;->newSingleThreadScheduledExec
move-result-object v0
sput-object v0, Lcom/hs/App;->b:Ljava/util/concurrent/ScheduledExecutorService;
const-string v0, "anl"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
const-wide/32 v0, 0x1d4c0The 24 malicious applications operated as “evil twins” to legitimate apps found in the Google Play Store, sharing package names with authentic “decoy twins” to create an illusion of legitimacy in ad requests. This clever ruse enabled the threat actors to generate fraudulent ad traffic on an unprecedented scale, with hidden ad schemes producing as many as 5 billion fraudulent bid requests each week.
Google’s Response
In response to this alarming threat, Google has implemented several measures to protect users. Google Play Protect now automatically alerts users and blocks apps exhibiting BADBOX behavior at the time of installation on certified devices equipped with Google Play Services. Furthermore, Google has terminated the publisher accounts associated with BADBOX 2.0 from its advertising ecosystem.
Device owners who are concerned about potential infections are advised to verify whether their devices are Google Play Protect certified. All identified infected devices were found to be uncertified Android Open Source Project devices manufactured in China and distributed globally. Users are also encouraged to ensure that Google Play Protect is enabled and to refrain from downloading apps from unofficial sources.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
