At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem.
This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in collaboration with Google, Trend Micro, Shadowserver, and other partners.
The “complex and expansive fraud operation” has been codenamed BADBOX 2.0. It has been described as the largest botnet of infected connected TV (CTV) devices ever uncovered.
“BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely,” the company said. “These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors.”
The threat actors are known to exploit several methods, ranging from hardware supply chain compromises to third-party marketplaces, to distribute what ostensibly appear to be benign applications that contain surreptitious “loader” functionality to infect these devices and applications with the backdoor.
The backdoor subsequently causes the infected devices to become part of a larger botnet that’s abused for programmatic ad fraud, click fraud, and offers illicit residential proxy services –
As many as one million devices, mainly comprising inexpensive Android tablets, connected TV (CTV) boxes, digital projectors, and car infotainment systems, are estimated to have fallen prey to the BADBOX 2.0 scheme. All the affected devices are manufactured in mainland China and shipped globally. A majority of the infections have been reported in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
The operation has since been partially disrupted a second time in three months after an undisclosed number of BADBOX 2.0 domains have been sinkhole in an attempt to cut off communications with the infected devices. Google, for its part, removed a set of 24 apps from the Play Store that distributed the malware. A portion of its infrastructure was previously taken down by the German government in December 2024.
“The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices,” Google said. “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”
The backdoor that forms the core of the operation is based on an Android malware known as Triada. Codenamed BB2DOOR, it is propagated in three different ways: A pre-installed component on the device, fetched from a remote server when booted for the first time, and downloaded via more than 200 trojanized versions of popular apps from third-party stores.
It’s said to be the handiwork of a threat cluster named MoYu Group, which advertises residential proxy services built upon BADBOX 2.0-infected devices. Three other threat groups are responsible for overseeing other aspects of the scheme –
“These groups were connected to one another through shared infrastructure (common C2 servers) and historical and current business ties,” HUMAN said.
The latest iteration represents a significant evolution and adaptation, with the attacks also relying on infected apps from third-party app stores and a more sophisticated version of the malware that entails modifying legitimate Android libraries to set up persistence.
Interestingly, there is some evidence to suggest overlaps between BB2DOOR and Vo1d, another malware that’s known to specifically target off-brand Android-based TV boxes.
“The BADBOX 2.0 threat in particular is compelling in no small part because of the open-season nature of the operation,” the company added. “With the backdoor in place, infected devices could be instructed to carry out any cyber attack a threat actor developed.”
The development comes as Google removed over 180 Android apps spanning 56 million downloads for their involvement in a sophisticated ad fraud scheme dubbed Vapor that leverages fake Android apps to deploy endless, intrusive full-screen interstitial video ads, per the IAS Threat Lab.
It also follows the discovery of a new campaign that employs DeepSeek-themed decoy sites to trick unsuspecting users into downloading an Android banking malware referred to as Octo.
