A recent update to the massive ad fraud and residential proxy scheme known as BADBOX has implicated at least four distinct threat actors, revealing a complex web of interconnected cybercrime activity.
According to new research from the HUMAN Satori Threat Intelligence and Research team, in collaboration with Google, Trend Micro, Shadowserver, and other partners, the threat actors involved include SalesTracker Group, MoYu Group, Lemon Group, and LongTV.
The operation, dubbed BADBOX 2.0, is described as the largest botnet of infected connected TV (CTV) devices ever discovered, characterized as a “complex and expansive fraud operation”.
BADBOX 2.0 begins with the installation of backdoors on low-cost consumer devices, enabling threat actors to remotely load fraud modules, which then communicate with command-and-control (C2) servers owned and operated by various cooperative threat actors.
The threat actors employ multiple methods to distribute the malware, including hardware supply chain compromises and third-party marketplaces, where they offer benign-appearing applications that secretly contain loader functionality to infect devices and applications with the backdoor.
The infected devices become part of a larger botnet used for programmatic ad fraud, click fraud, and illicit residential proxy services, involving activities such as:
- Displaying hidden ads and launching hidden WebViews to generate fake ad revenue
- Redirecting to low-quality domains and clicking on ads for financial gain
- Routing traffic through compromised devices
- Utilizing the network for account takeover (ATO), fake account creation, malware distribution, and DDoS attacks
It’s estimated that approximately one million devices, primarily inexpensive Android tablets, connected TV (CTV) boxes, digital projectors, and car infotainment systems, have fallen victim to the BADBOX 2.0 scheme, with the majority of affected devices manufactured in mainland China and shipped globally.
According to the report, the countries most affected by the operation are Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
The operation has undergone partial disruption for the second time in three months, with an undisclosed number of BADBOX 2.0 domains being sinkholed to sever communication with infected devices.
Google removed 24 apps from the Play Store that distributed the malware, while a portion of the infrastructure was previously taken down by the German government in December 2024.
Google stated that the infected devices are Android Open Source Project devices, which are not subject to the same security and compatibility testing as Play Protect certified Android devices.
The core of the operation is based on an Android malware known as Triada, codenamed BB2DOOR, which is propagated through three different methods, including pre-installation on the device, fetching from a remote server, and downloading via trojanized versions of popular apps from third-party stores.
BB2DOOR is attributed to a threat cluster named MoYu Group, which offers residential proxy services built upon BADBOX 2.0-infected devices.
Three other threat groups are responsible for overseeing various aspects of the scheme:
- SalesTracker Group, connected to the original BADBOX operation and a module that monitors infected devices
- Lemon Group, connected to residential proxy services based on BADBOX and an ad fraud campaign across a network of HTML5 (H5) game websites using BADBOX 2.0
- LongTV, a Malaysian internet and media company behind an ad fraud campaign based on an “evil twin” approach
HUMAN notes that these groups are connected through shared infrastructure and historical and current business ties.
The latest iteration represents a significant evolution and adaptation, with the attacks relying on infected apps from third-party app stores and a more sophisticated version of the malware that modifies legitimate Android libraries to establish persistence.
There is evidence suggesting overlaps between BB2DOOR and Vo1d, another malware targeting off-brand Android-based TV boxes.
HUMAN emphasizes that the BADBOX 2.0 threat is notable due to its open-season nature, allowing infected devices to be instructed to carry out any cyber attack a threat actor develops.
This development follows Google’s removal of over 180 Android apps involved in a sophisticated ad fraud scheme dubbed Vapor, which leverages fake Android apps to deploy intrusive full-screen interstitial video ads.
Additionally, a new campaign has been discovered that employs DeepSeek-themed decoy sites to trick users into downloading an Android banking malware referred to as Octo.
