BadBox Malware Infects 50,000+ Android Devices via 24 Apps on Google Play

HUMAN’s Satori Threat Intelligence and Research team has uncovered a complex cyberattack dubbed “BADBOX 2.0,” an evolution of the previously disclosed BADBOX operation.

This sophisticated botnet has infected over 1 million consumer devices worldwide, with a significant portion compromised through 24 malicious apps on the Google Play Store.

The BADBOX 2.0 operation centers on a backdoor called BB2DOOR, which gives threat actors persistent privileged access to infected devices.

The backdoor is distributed through pre-installed apps on low-cost, off-brand Android Open Source Project devices, as well as through downloads from third-party marketplaces.

Multiple Threat Actor Groups Collaborate in Complex Scheme

Researchers identified four distinct threat actor groups involved in BADBOX 2.0: SalesTracker Group, MoYu Group, Lemon Group, and LongTV.

These groups collaborate, sharing infrastructure and targeting methods to maximize the botnet’s reach and effectiveness.

The operation enables various fraud schemes, including:

1. Residential proxy services: Infected devices are used as proxy nodes, allowing attackers to hide their true IP addresses.
2. Programmatic ad fraud: Hidden ads are rendered on devices, and hidden WebViews navigate to HTML5 game websites to generate fraudulent ad impressions.
3. Click fraud: Infected devices are directed to visit low-quality domains and click on ads.

At its peak, the hidden ads scheme within BADBOX 2.0 generated 5 billion fraudulent bid requests per week.

Disruption Efforts and Ongoing Threats

According to the Report, HUMAN has worked closely with Google and other partners to disrupt BADBOX 2.0.

Google has taken action to terminate publisher accounts associated with the operation and has implemented measures to protect users through Google Play Protect.

However, the threat actors may adapt and relaunch their operations, as the supply chain enabling the implantation of backdoors remains intact.

Users are advised to limit app downloads to official marketplaces to reduce the risk of infection.

The BADBOX 2.0 investigation highlights the increasing sophistication of cybercriminal collaborations and emphasizes the need for robust, collective defense strategies in the cybersecurity industry.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free