BADBOX 2.0 Malware Hits Over a Million Android Devices in Global Cyber Threat

HUMAN’s Satori Threat Intelligence and Research team, in collaboration with Google, Trend Micro, and Shadowserver, has uncovered and partially disrupted a massive cyber fraud operation named BADBOX 2.0.

This operation, an evolved iteration of the original BADBOX malware disclosed in 2023, has infected over 1 million Android Open Source Project (AOSP) devices worldwide, marking it as the largest botnet of infected connected TV (CTV) devices ever documented.

Botnet Scale Targets Low-Cost Android Devices

Unlike certified Android TV OS devices, these low-cost, off-brand gadgets ranging from CTV boxes to tablets and digital projectors originate primarily from mainland China and have been observed generating malicious traffic across 222 countries and territories, with significant impact in Brazil, the United States, and Mexico.

BADBOX 2.0 operates through a deeply embedded backdoor, dubbed BB2DOOR, which exploits modified Android native libraries like libanl.so to grant threat actors persistent privileged access.

This backdoor, often pre-installed or downloaded via command-and-control (C2) servers or unofficial app marketplaces, enables a range of fraudulent activities.

These include programmatic ad fraud through hidden ads and WebViews, click fraud on low-quality domains, and the sale of residential proxy services that facilitate downstream attacks such as account takeovers (ATO), Distributed Denial of Service (DDoS), and malware distribution.

Sophisticated Fraud Schemes

Satori researchers identified four key threat actor groups SalesTracker, MoYu, Lemon Group, and LongTV working in tandem through shared C2 infrastructure, amplifying the operation’s reach and complexity.

For instance, MoYu offers residential proxy services at $13.64 per 5 GB, routing traffic through infected devices, while LongTV apps deploy hidden ads via “evil twin” techniques mimicking legitimate apps.

The technical sophistication of BADBOX 2.0 lies in its adaptability and delivery mechanisms.

The malware decrypts encrypted strings within its libraries to deploy persistence modules (like p.jar and q.jar) and fetches fraud payloads from C2 servers such as catmore88[.]com.

This enables remote code execution, allowing attackers to push any malicious APK or script, from ad fraud campaigns generating 5 billion fraudulent bid requests weekly to data exfiltration observed by Trend Micro.

Google has responded by terminating associated publisher accounts in its ad ecosystem and ensuring Google Play Protect blocks BADBOX-related apps on certified devices.

However, the supply chain vulnerabilities in uncertified AOSP devices remain a persistent challenge, as threat actors continue to adapt post-disruption, a pattern seen after the German government sinkholed BADBOX infrastructure in December 2024.

Despite these efforts, the scale of BADBOX 2.0 underscores a critical gap in consumer device security.

HUMAN’s Defense Platform and advertising protection solutions are actively shielding users, but the open-season nature of the backdoor capable of executing any attack poses an ongoing threat.

Satori researchers warn of potential further adaptations by these collaborative threat actors, emphasizing the need for collective defense and consumer vigilance by sticking to official app marketplaces.

Indicators of Compromise (IoCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here