A vast cyber fraud operation has been uncovered and partially disrupted, exposing about one million low-cost, uncertified connected TV (CTV) devices and Android-based compromised consumer devices to ad fraud, proxy services, and other malicious activities. Dubbed BADBOX 2.0, this botnet infiltrated the products through hidden backdoors, allowing attackers to install fraudulent software remotely.
The operation affected devices worldwide, spanning 222 countries and territories, and enabled cybercriminals to manipulate digital advertising, execute unauthorised transactions, and exploit users’ internet connections without their knowledge.
The BADBOX 2.0 operation was orchestrated by four distinct but interconnected groups: SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The SalesTracker Group managed the botnet’s command-and-control infrastructure, overseeing the distribution of fraud modules. The MoYu Group was responsible for developing and deploying the backdoor that infected devices, managing a click fraud campaign and planning a broader programmatic ad fraud operation.
Lemon Group focused on ad fraud within a network of H5 game websites, taking advantage of infected devices to generate fraudulent activity. LongTV, a Malaysian entity, developed apps that carried out hidden ad fraud, disguising malicious software as legitimate applications.
These devices are manufactured in China and shipped globally. Once compromised, they became part of a botnet capable of executing multiple fraudulent schemes. Hidden ad units and webviews were deployed to generate fake impressions and clicks, inflating the attackers’ advertising revenues.
Infected devices also served as residential proxy nodes, allowing cybercriminals to disguise their online activities and bypass security measures. Click fraud is another key operation component, as attackers direct compromised devices to low-quality domains where they would automatically click on ads.
Additionally, these devices facilitated account takeovers, fake account creation, and even the distribution of malware, increasing the overall threat to digital security.
“While HUMAN and its partners currently observe the threat actors pushing payloads to the device to implement these fraud schemes, the attackers are not limited to just these four types of fraud,” researchers explained. “These threat actors have the technical capability to push any functionality they want to the device by loading and executing an APK file of their choosing, or by requesting the device to execute code.”
As researchers pointed out, the infection spread through multiple vectors. Some devices came with pre-installed backdoors, while others were infected when they first connected to command-and-control servers. Additionally, unsuspecting users downloaded malicious applications from third-party app stores, inadvertently turning their devices into tools for cybercriminals.
In response to the threat, Google and other cybersecurity partners collaborated to disrupt BADBOX 2.0 Google Play Protect now actively blocks and warns users about apps exhibiting BADBOX behaviour, helping prevent further infections.
Publisher accounts associated with the operation have been terminated from the Google Ad ecosystem, limiting the threat actors’ ability to monetise their fraudulent activities. Additional advertising fraud protection measures have been implemented to neutralise BADBOX 2.0’s financial incentives, making it more difficult for attackers to profit from their schemes.
Users are advised to verify that their devices are Google Play Protect certified and to avoid purchasing uncertified, off-brand products that could be vulnerable to similar attacks.
In the News: Healthcare facilities in Japan and US targeted by ransomware group
