HUMAN Security’s Satori Threat Intelligence team has uncovered a sophisticated malware operation dubbed “BADBOX 2.0” that compromised over 50,000 Android devices using 24 deceptive applications.
This operation represents a major expansion of the original BADBOX campaign first identified in 2023, according to researchers who collaborated with Google, Trend Micro, and Shadowserver to partially disrupt the threat.
The malware primarily targeted low-cost, “off-brand” Android Open Source Project devices including connected TV boxes, tablets, digital projectors, and vehicle infotainment systems.
Devices were infected through a sophisticated backdoor that researchers named “BB2DOOR,” which provided threat actors with persistent privileged access to compromised systems.
Researchers at HUMAN Security’s Satori Threat Intelligence team identified four distinct threat actor groups involved in the operation: SalesTracker Group, MoYu Group, Lemon Group, and LongTV.
These groups cooperated through shared infrastructure and business connections to deploy multiple fraud schemes including residential proxy services, programmatic ad fraud, and click fraud.
The backdoor worked by loading a malicious library called libanl.so that deployed fraud mechanisms to the device.
When activated, the code would download and install multiple files responsible for maintaining communication with command-and-control servers.
.webp)
The following code snippet demonstrates how the backdoor initiated:-
.class public Lcom/hs/App;
.super Landroid/app/Application;
.source "SourceFile"
.method static constructor ()V
.locals 2
invoke-static {}, Ljava/util/concurrent/Executors;->newSingleThreadScheduledExec
move-result-object v0
sput-object v0, Lcom/hs/App;->b:Ljava/util/concurrent/ScheduledExecutorService;
const-string v0, "anl"
invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
const-wide/32 v0, 0x1d4c0.webp)
The 24 malicious apps functioned as “evil twins” to legitimate applications in Google Play Store, sharing package names with legitimate “decoy twins” to appear legitimate in ad requests.
This deception allowed the threat actors to generate fraudulent ad traffic at a massive scale, with hidden ads schemes generating up to 5 billion fraudulent bid requests weekly.
Google’s Response
Google has taken multiple actions to combat this threat. Google Play Protect now automatically warns users and blocks apps exhibiting BADBOX behavior at install time on certified devices with Google Play Services.
Additionally, Google terminated publisher accounts associated with BADBOX 2.0 from its advertising ecosystem.
Device owners concerned about infection should verify if their device is Google Play Protect certified, as all infected devices identified were uncertified Android Open Source Project devices manufactured in China and shipped globally.
Users should also ensure Google Play Protect is enabled and avoid downloading apps from unofficial sources.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free