A sophisticated evolution of the BADBOX malware, known as BADBOX 2.0, has infiltrated over one million Android devices worldwide, marking a significant escalation in mobile security threats. This advanced malware variant has been identified on a range of low-cost, off-brand Android devices, including smart TVs, TV streaming boxes, digital picture frames, media players, projectors, and tablets. These devices, primarily manufactured in China, have been distributed globally, leading to widespread infections.
The Satori Threat Intelligence team at HUMAN Security uncovered this extensive botnet operation. BADBOX 2.0 operates by embedding a backdoor into the firmware of these devices during the manufacturing process. Upon initial activation, the infected device connects to command-and-control (C2) servers, downloading additional payloads that establish persistence and facilitate various cyberattacks or fraudulent activities.
The global impact of BADBOX 2.0 is substantial, with infections reported in 222 countries. The most affected nations include Brazil (37.6% of infections), the United States (18.2%), Mexico (6.3%), Argentina (5.3%), and Colombia. This widespread distribution underscores the malware’s extensive reach and the challenges in containing such a pervasive threat.
BADBOX 2.0’s infection vectors are diverse. The malware is pre-installed on devices during manufacturing, particularly on those relying on the Android Open Source Project (AOSP) and lacking Google Play Protect certification. Additionally, the malware spreads through seemingly benign applications available on third-party marketplaces, which contain hidden loader functionalities that install the backdoor upon execution.
Once compromised, devices become part of a botnet exploited by multiple hacker groups for various malicious activities:
– Ad Fraud: The malware renders hidden ads and launches concealed browser windows that navigate and perform actions on a collection of websites, generating fraudulent ad impressions and clicks.
– Residential Proxy Services: Infected devices are used as proxies, allowing threat actors to route their malicious traffic through these devices, masking their true origins.
– Account Creation and Data Collection: The malware can programmatically create accounts on online services and collect sensitive user data, facilitating further cybercriminal activities.
The operation of BADBOX 2.0 involves several distinct but cooperative hacker groups:
– SalesTracker Group: Responsible for the initial BADBOX operation, managing the C2 infrastructure for BADBOX 2.0.
– MoYu Group: Developed the backdoor for BADBOX 2.0, coordinated its variants, operated a subset of the botnet, and conducted click fraud campaigns.
– Lemon Group: Connected to residential proxy services created through the BADBOX operation and linked to ad fraud campaigns across a network of HTML5 game websites using infected devices.
Efforts to disrupt BADBOX 2.0 have been undertaken by various cybersecurity organizations and authorities. In December 2024, German authorities blocked connections from 30,000 infected devices. More recently, Google removed 24 malicious apps from the Play Store and implemented Play Protect enforcement rules to warn users and block the installation of apps associated with BADBOX 2.0 on certified Android devices. Despite these efforts, the supply chain of compromised devices remains intact, posing ongoing challenges to fully dismantling the botnet.
