A New Wave in Ad Fraud and Botnet Attacks

Overview

A new version of a major ad fraud and residential proxy scheme, known as BADBOX 2.0, has emerged, involving at least four different cybercrime groups. This operation has been described as the largest botnet ever found among connected TV devices and similar gadgets. The scheme infects low-cost consumer devices, turning them into parts of a vast network used to commit various online frauds.

You might be intertested in: Your Router Might Be Infected by Ballista Botnet

The Cybercrime Groups Behind the Attack

Four main groups are involved in this operation:

• SalesTracker Group: This group is tied to the original BADBOX project and now handles modules that monitor the infected devices.
• MoYu Group: They are behind the malware called BB2DOOR (based on the Triada malware) and offer residential proxy services using compromised devices.
• Lemon Group: Responsible for both running residential proxy services and managing an ad fraud campaign on several HTML5 game websites.
• LongTV: A Malaysian company with a suite of apps that participate in an ad fraud scheme using a method often called the “evil twin.”

These groups work together, sharing control servers and maintaining business connections to support the overall operation.

How the Infection Spreads

BADBOX 2.0 starts with a hidden backdoor installed on affordable devices like Android tablets, CTV boxes, digital projectors, and car infotainment systems. This backdoor is delivered in three ways:

• It may come pre-installed on the device.
• It can be downloaded from a remote server when the device boots for the first time.
• It is also spread through over 200 tampered versions of popular apps from third-party stores.

Once the backdoor is active, it allows attackers to load additional fraud tools and control the device remotely.

What the Botnet Does

Once a device is infected, it joins a botnet used for various illegal activities, such as:

• Fake Advertising: The devices launch hidden web views and ads to generate fake revenue.
• Ad Clicking and Domain Navigation: They visit low-quality websites and click on ads to earn money.
• Traffic Routing: The network can be used to hide the real source of internet traffic.
• Other Malicious Activities: The botnet can support account takeovers, create fake accounts, spread more malware, or even carry out DDoS attacks.

It is estimated that up to one million devices are compromised, with most of the infections reported in Brazil, the United States, Mexico, and Argentina.

Steps Taken to Disrupt the Operation

Several measures have been taken to slow down BADBOX 2.0:

• Domain Sinkholing: Authorities have redirected many BADBOX 2.0 domains to cut off the communication between infected devices and their control servers.
• App Removals: Google removed 24 apps from its Play Store that were found to distribute the malware. These devices are not covered by Google’s Play Protect, which means they do not go through the usual safety checks.
• Government Action: Parts of the infrastructure were also shut down by the German government back in December 2024.

Additional Insights

The backdoor in BADBOX 2.0, known as BB2DOOR, shows similarities with another malware called Vo1d, which targets off-brand Android TV boxes. This new version of the operation uses updated methods to hide within legitimate apps and even modifies genuine Android libraries to stay active on the device.

This development comes on the heels of other ad fraud schemes, such as the Vapor campaign—which led to the removal of over 180 Android apps with millions of downloads—and a new effort that tricks users into downloading an Android banking malware called Octo through fake decoy sites.

Final Thoughts

BADBOX 2.0 highlights how cybercrime groups can work together and use common tools to create large-scale networks of compromised devices. By infecting everyday gadgets with hidden malware, these groups are able to carry out a variety of online frauds and attacks, showing the ongoing challenges in the fight against cybercrime.