BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely. These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors. The BADBOX and BADBOX 2.0 threat actors exploit software or hardware supply chains or distribute seemingly benign applications that contain “loader” functionality in order to infect these devices and applications with the backdoor.
Once a fraud module is deployed, infected devices may become part of a botnet and subsequently have the capacity to conduct several attacks including:
Programmatic ad fraud
Click fraud
Residential proxy services (which, in turn, facilitate the following attacks):
Account takeover (ATO)
Fake account creation
DDoS
Malware distribution
One-time password (OTP) theft
This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide. A list of models affected by BADBOX 2.0 is available in the Indicators of Compromise below.
Satori researchers worked closely with Google to disrupt the infrastructure powering BADBOX 2.0. Google has taken the following actions:
Google Play Protect, Android’s built-in malware and unwanted software protection, automatically warns users and blocks apps known to exhibit BADBOX associated behavior at install time on Play Protect certified Android devices with Google Play Services, even when apps come from sources outside of Play. Google Play Protect is on by default on Android devices with Google Play Services.
Google has taken action to terminate publisher accounts associated with BADBOX 2.0 from the Google Ad ecosystem.
Google recommends checking whether your device is Google Play Protect certified.
“We appreciate collaborating with HUMAN to take action against the BADBOX operation. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help you confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners. You can also take these steps to check if your device is Play Protect certified. Users should ensure Google Play Protect, Android’s malware protection that is on by default on devices with Google Play Services, is enabled.”
Google
BADBOX 2.0, like BADBOX and other attacks, is reflective of cybercriminals’ attempts to target every stage of the customer journey. The fraudsters in this operation attacked the digital advertising ecosystem, compromised the journey from an ad to a website, abused login portals through residential proxy capabilities, and exploited the backdoored devices as a botnet.
Executive Summary
HUMAN’s Satori Threat Intelligence and research team has uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a sprawling and complex cyberattack dubbed BADBOX 2.0. BADBOX 2.0 is a major adaptation and expansion of the Satori team’s 2023 BADBOX disclosure, and is the largest botnet made up of infected connected TV (CTV) devices ever uncovered. (BADBOX had a portion of its infrastructure taken down by the German government in December 2024.) The BADBOX 2.0 investigation reflects how the threat actors have shifted their targets and tactics following the BADBOX disruption in 2023.
This attack centered primarily on low-cost, ‘off-brand’ and uncertified Android Open Source Project devices with a backdoor. These backdoored devices allowed the threat actors the access to launch fraud schemes of several kinds, including the following:
Residential proxy services: selling access to the device’s IP address without the user’s permission
Ad fraud – hidden ad units: using built-in content apps to render hidden ads
Ad fraud – hidden WebViews: launching hidden browser windows that navigate to a collection of game sites owned by the threat actors
Click fraud: navigating an infected device to a low-quality domain and clicking on an ad present on the page
While HUMAN and its partners currently observe the threat actors pushing payloads to the device to implement these fraud schemes, the attackers are not limited to just these 4 types of fraud. These threat actors have the technical capability to push any functionality they want to the device by loading and executing an APK file of their choosing, or by requesting the device to execute code. For example, researchers at Trend Micro who collaborated on this investigation with HUMAN observed one of the threat actor groups (Lemon Group) deploying payloads to programmatically create accounts in online services, collect sensitive data from devices and more.
The backdoor underpinning the BADBOX 2.0 operation is distributed in three ways:
pre-installed on the device, in a similar fashion to the primary BADBOX backdoor
retrieved from a command-and-control (C2) server contacted by the device on first boot
downloaded from third-party marketplaces by unsuspecting users
Diagram outlining the three backdoor delivery mechanisms for BADBOX 2.0
Satori researchers identified four threat actor groups involved in BADBOX 2.0:
SalesTracker Group—so named by HUMAN for a module used by the group to monitor infected devices—is the group researchers believe is responsible for the BADBOX operation, and that staged and managed the C2 infrastructure for BADBOX 2.0.
MoYu Group—so named by HUMAN based on the name of residential proxy services offered by the threat actors based on BADBOX 2.0-infected devices—developed the backdoor for BADBOX 2.0, coordinated the variants of that backdoor and the devices on which they would be installed, operated a botnet composed of a subset of BADBOX 2.0-infected devices, operated a click fraud campaign, and staged the capabilities to run a programmatic ad fraud campaign.
Lemon Group, a threat actor group first reported by Trend Micro, is connected to the residential proxy services created through the BADBOX operation, and is connected to an ad fraud campaign across a network of HTML5 (H5) game websites using BADBOX 2.0-infected devices.
LongTV is a brand run by a Malaysian internet and media company, which operates connected TV (CTV) devices, and develops apps for those devices and for other Android Open Source Project devices. Several LongTV-developed apps are responsible for an ad fraud campaign centered on hidden ads based on an “evil twin” technique as described by Satori researchers in the 2024 Konfety disclosure. (This technique centers on malicious apps distributed through non official channels representing themselves as similar benign apps distributed through official channels which share a package name.)
These groups were connected to one another through shared infrastructure (common C2 servers) and historical and current business ties.
Satori researchers discovered BADBOX 2.0 while monitoring the remaining BADBOX infrastructure for adaptation following its disruption; as a matter of course, Satori researchers keep an eye on threats long after they’re first disrupted. In the case of BADBOX 2.0, researchers had been watching the threat actors for more than a year between the first BADBOX disclosure and BADBOX 2.0.
Researchers found new C2 servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BADBOX. Pulling on those threads led the researchers to find the various threats on each device.Through collaboration with Google, Trend Micro, Shadowserver, and other HUMAN partners, BADBOX 2.0 has been partially disrupted. The threat actors’ ad fraud monetization capabilities have been mitigated by solutions within HUMAN’s Advertising Protection, a suite of solutions which safeguard the advertising ecosystem, and through joint action from partners, including publisher account termination. Google Play Protect automatically warns users and blocks apps known to exhibit BADBOX 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. HUMAN customers are and have been protected from the impacts of BADBOX 2.0. Researchers continue to monitor the BADBOX 2.0 threat actors for further adaptation.
BADBOX & BADBOX 2.0: Adaptation and Discovery
As we wrote in the original report on the BADBOX operation in 2023, disruption is often not the end of the story, but only the end of a chapter. The threat actors were likely to regroup and adapt, hunting for new ways to carry out attacks in the hope that the defenses established to stop an attack like BADBOX might not work on the new tactics. And that’s precisely what Satori researchers observed.
Following our disclosure, the C2 servers powering the original BADBOX operation were shut down and the infected devices delisted from major marketplaces. Minor adaptations—like the threat actors Photoshopping out the model names from the screenshots of infected device models for new marketplace listings—were quickly identified and handled. And in December 2024, the German governmentsinkholed C2 servers from BADBOX, effectively dismantling a significant portion of the operation.
During Satori’s initial BADBOX investigation, researchers observed this response from one of the C2 servers:
A BADBOX C2 response
A snippet of the same response, with “Saletracker”highlighted
Notice the cpbheback[.]com in the response. That’s the domain for one of the C2 servers associated with the initial BADBOX operation. Notice also Saletracker [sic]. That’s referencing a module used by a Chinese device manufacturer for monitoring sales activity of their products. What’s visible in the response, however, isn’t the actual monitoring module; it’s a fake. The threat actors behind BADBOX used this as a fig leaf for controlling the Triada-based backdoor in that operation.
The threat actors behind this mimicry and the BADBOX operation set up a series of domains to host the C2 servers for BADBOX. In the spring of 2024, Satori researchers found a collection of new C2 servers hosting test versions of new backdoors.
These new C2 servers help connect the dots from one threat actor group to the next – many of the threat actors behind BADBOX 2.0’s various components shared parts of this new C2 infrastructure.
Once Satori researchers began digging into the new C2 servers, the whole BADBOX 2.0 operation began to reveal itself. One threat actor led to another, one attack led to another, and what follows is what Satori found.
BADBOX 2.0: Threat Actor Groups
Over the course of the investigation, Satori researchers identified four threat actor groups involved in BADBOX 2.0. Each group played a distinct role in the overall scheme, though there is likely collaboration and/or overlap from one group to another, as evidenced by the shared infrastructure. Satori’s research on the evolving BADBOX/BADBOX 2.0 family of operations continues, and additional threat actor groups may be identified.
SalesTracker Group
“SalesTracker Group” is a name given to a group of threat actors which Satori researchers believe is responsible for the original BADBOX operation. The name derives from the module used to obfuscate the Triada malware powering the BADBOX backdoor.
While monitoring for adaptation after HUMAN’s BADBOX report, Satori researchers observed that the SalesTracker threat actors had accidentally exposed information about themselves while spinning up new C2 servers.
Within the BADBOX 2.0 operation, the SalesTracker Group was chiefly responsible for standing up new C2 domains and making resources available to other groups in the operation.
MoYu Group
“MoYu Group” is a name given to a collection of threat actors based on the name of the residential proxy service they offer. Satori researchers believe this organization is the operator of the backdoors found pre-installed on BADBOX 2.0 devices and bundled into the 200+ apps shared through unofficial app marketplaces. Researchers linked the SalesTracker threat actors to the MoYu threat actors with high confidence based on commonalities in their C2 infrastructure configurations.
The BADBOX 2.0 backdoor provided MoYu threat actors with persistent privileged access to infected devices. With this access, MoYu is able to carry out a variety of fraud schemes, including residential proxy node creation, remote code execution, ad fraud, click fraud, and data exfiltration.
The homepage of IpMoYu, advertising residential proxy services based on BADBOX 2.0-infected devices
Additionally, Satori researchers found information within MoYu’s C2 infrastructure that shed light on a botnet controlled by the threat actors. This information revealed details about each of the devices, including which version of the backdoor was active, when the device was last active, and where the device was based.
The MoYu and Lemon Group threat actors used an identifier called “channel” to keep tabs on the various permutations of backdoor/C2 configuration for each node in the botnet. Researchers identified 20 distinct “channels” controlling more than 83,000 devices worldwide. Lemon Group uses these “channels” to decide which modules to push to different groups of compromised devices. (Note: there are far more than 83,000 devices infected by BADBOX 2.0; that number reflects only those controllable by MoYu threat actors in this specific botnet.)
Lemon Group
Lemon Group is a China-based threat actor group known to the cybersecurity community for their use of Triada-inspired malware; this malware strain was also used in the BADBOX operation.
Satori researchers found indications that Lemon Group threat actors were involved in selling residential proxy services during the BADBOX operation; the BADBOX proxy services’ domains and the C2 domains connect back to Dove Proxy, a residential proxy service referenced in the Trend Micro report above, as affiliated with Lemon Group.
YouTube videos explaining the how-to of the residential proxy service offered by Lemon Group
YouTube video description for Dove Proxy, a known Lemon Group property
The account setup process for both proxy services includes the name KCreativeInfo com, which is registered to Hefei Letang Technology Co., Ltd. This company has several apps on official and unofficial app marketplaces, using the aliases Joy Meng, Joy More, and JoyeTV.
Lemon Group—both through its Joy-themed aliases and through other entities—is also heavily connected to a multifaceted ad fraud scheme based on a series of HTML5 (H5) game websites.
LongTV is a part of Longvision Media, a Malaysia-based internet and media company. LongTV-branded Android-based connected TV devices are popular in Southeast Asia and South America, and the company is a developer of apps both for its own branded devices and for non-LongTV-branded devices.
Satori researchers found preinstalled LongTV apps on BADBOX 2.0-infected devices, and these apps launched hidden WebViews that loaded the Lemon Group-operated H5 game sites.
BADBOX 2.0: Backdoor and Targeting
The BADBOX 2.0 operation, like its predecessor, is driven by a backdoor that gives threat actors persistent privileged access on the device. One distribution channel for this backdoor is through a preinstalled app that activates once the device is powered on, while another channel is through downloads by unsuspecting users from third-party/unofficial app marketplaces.
How the Backdoor Works
The backdoor operates in a similar fashion to how the BADBOX infection did: when the device is first turned on, it contacts a C2 server and downloads a file. That file decrypts itself into the components responsible for persistence and communications and sets up subsequent downloads, which are responsible for the fraud itself.
In the BADBOX operation, the infection centered on a critical Android file, libandroid_runtime.so, that the threat actors modified. For BADBOX 2.0, the threat actors “improved” their attack.
This BADBOX 2.0 backdoor begins when a class named com.hs.app, buried deep in the source code, loads libanl.so, the library that deploys fraud mechanisms to a device accessible to the threat actors.
com.hs.app class loading the “anl” library
libanl.so (the ANL in the file stands for Android Native Library) is a library which the threat actors have modified to implant new persistence and communications tools. This is the key step in the backdoor process:
Overview of the backdoor execution
We’ve dubbed this backdoor BB2DOOR for this library. The backdoor targeted several off-brand Android Open Source Project devices, including:
CTV boxes
tablets
digital projectors
aftermarket vehicle infotainment systems
As shown in the diagram above, when BB2DOOR activates, it downloads and installs multiple JAR files, which are responsible for maintaining communication with the C2 servers and ensuring persistence on the device itself. Satori researchers captured this install process by observing a BADBOX 2.0-infected device in a laboratory setting:
The BB2DOOR backdoor operating in a Satori lab device
Once libanl.so is installed, the backdoor calls home to a C2 server, in this case, catmore88[.]com:
On successful installation of the backdoor, the malware reaches out to MoYu servers
Within the libanl.so backdoor, there are encrypted strings that, once decrypted, are used as part of the process to launch two dropped files, p.jar and q.jar:
Result for MRQXIYI is: data Result for F4XHALTKMFZA is: /.p.jar Result for F4XHALTPMF2A is: /.p.oat Result for NJQXMYJPNRQW4ZZPKN2HE2LOM4 is: java/lang/String Result for MNXW2LTIOMXGG3DEFZGWC2LO is: com.hs.cld.Main Result for NVQWS3Q is: main Result for MNXW2LTIOMXHCLSNMFUW4 is: com.hs.q.Main Result for F4XHCLTKMFZA is: /.q.jar Result for F4XHCLTPMF2A is: /.q.oat
One of the extracted files—q.jar—was responsible for ensuring the backdoor couldn’t be removed, and the com.hs.cld.main function within p.jar was responsible for downloading new fraud modules and backdoors from the C2 servers.
Satori researchers believe BB2DOOR is associated with vo1d, a malware strain disclosed by Russian cybersecurity firm Dr. WEB in 2024. While vo1d and BB2DOOR share some similarities—key among them the use of libanl.so—vo1d’s reach appears to be limited to CTV boxes, while BB2DOOR targeted several additional types of devices.
One key discovery during the BADBOX 2.0 investigation is this list of APKs (Android Package Kits) found on the threat actors’ exposed C2 server:
BB2DOOR backdoor variants retrieved from a MoYu C2 server
Each of these files corresponds to a variation of the backdoor targeting an app type and a specific device model.
Notice the beginning of each file name; each file begins with one of “AppStore”, “HiCast”, “Launcher”, “MirrCast”, “PadLauncher”, or “Update”. Satori researchers believe these designations reflect what sort of app the backdoor is built into. For example, the two app types that include the word “cast” are associated with screen-casting apps.
Notice also the letters/numbers at the end of each file name. Those reflect specific device models targeted by the threat actors. For example, “713M” is associated with a specific digital projector, and “TP3002O” is associated with a specific CTV device.
The apps with these backdoors behave as expected; a screen-casting app will successfully cast the screen. This makes it harder for the average user to recognize that anything is amiss.
Additional Backdoor Distribution Mechanism
Additionally, there is an extensive collection of apps which the threat actors “rebundled” and added to unofficial app marketplaces. These apps carry the names of high-profile and popular apps, but have had the BB2DOOR backdoor added to them. Once installed, they work in a similar fashion to the preinstalled variation of the backdoor.
Timeline and Targeting
After researchers uncovered the list of APKs from the new C2 servers, they began acquiring the corresponding devices to examine them for backdoors. Much like in the earlier BADBOX operation, devices infected by BADBOX 2.0 are off-brand low-cost consumer devices built or assembled in China and shipped worldwide. Once the backdoors were confirmed, researchers shared preliminary findings with select partners and dug further into the various fraud schemes perpetrated by the threat actors through the boxes.
HUMAN deployed several BADBOX 2.0-specific protections to the Human Defense Platform throughout the summer of 2024. Paired with HUMAN’s broad existing protections from attacks conducted through residential proxy services—such as those offered by BADBOX and BADBOX 2.0 threat actors—HUMAN customers and their consumers are safe from the impact of BADBOX 2.0.
Google took enforcement action to prevent bad actors from attempting to monetize the BADBOX family of invalid traffic.
As of January 2025, Satori researchers estimate more than 1 million devices worldwide are infected by BADBOX 2.0. More than a third of the BADBOX 2.0-infected devices observed by the Human Defense Platform are located in Brazil, where low-cost Android Open Source Project devices are particularly popular. Other countries with significant numbers include the United States, Mexico, Argentina, and Colombia. Overall, HUMAN observed BADBOX 2.0-associated traffic coming from 222 countries and territories worldwide:
Below is a list of device models known to be targeted by the threat actors. Not all devices of a given model are necessarily infected, but Satori researchers are confident that infections are present on some devices of the below device models:
Device Model
Device Model
Device Model
Device Model
TV98
X96Q_Max_P
Q96L2
X96Q2
X96mini
S168
ums512_1h10_Natv
X96_S400
X96mini_RP
TX3mini
HY-001
MX10PRO
X96mini_Plus1
LongTV_GN7501E
Xtv77
NETBOX_B68
X96Q_PR01
AV-M9
ADT-3
OCBN
X96MATE_PLUS
KM1
X96Q_PRO
Projector_T6P
X96QPRO-TM
sp7731e_1h10_native
M8SPROW
TV008
X96Mini_5G
Q96MAX
Orbsmart_TR43
Z6
TVBOX
Smart
KM9PRO
A15
Transpeed
KM7
iSinbox
I96
SMART_TV
Fujicom-SmartTV
MXQ9PRO
MBOX
X96Q
isinbox
Mbox
R11
GameBox
KM6
X96Max_Plus2
TV007
Q9 Stick
SP7731E
H6
X88
X98K
TXCZ
Each of the devices in the table is represented by one or more APKs, based on what type of app—launcher, casting app, etc.—contains the backdoor code.
BADBOX 2.0: Fraud Schemes Enabled
Perhaps the defining characteristic of BADBOX 2.0—and of BADBOX before it—is the broad variety of fraud the operation enables. Researchers observed four distinct models of fraud facilitated by the persistent privileged access created by the BB2DOOR backdoor. These included the sale of residential proxy services based on backdoor devices (as well as downstream attacks perpetrated by those who bought the proxy services), programmatic ad fraud, and click fraud.
Residential Proxy
Satori researchers observed the MoYu Group threat actors offering residential proxy services at $13.64 per 5 GB of data routed through a proxy. With the number of BADBOX 2.0-infected devices actively functioning as proxy nodes, these services are a lucrative offering for threat actors.
Residential proxy services offered by MoYu, routed through BADBOX 2.0-infected devices (second image is a translation of the first)
The residential proxy module for BADBOX 2.0 functions similarly to that of BADBOX, but with a few notable changes:
BADBOX 2.0 residential proxy setup code
These instructions are retrieved from the C2 server using the same code as in BADBOX package com.debby.devour, but the threat actors adapted by changing which domains instruct and manage the proxy nodes. This was part of the threat actors’ effort to avoid detection by changing the infrastructure used to power the residential proxy component of the scheme.
BADBOX 2.0 also added a second residential proxy component, operating on different domains and on different ports from BADBOX:
BADBOX 2.0 secondary residential proxy setup code
Perhaps more dangerous than the residential proxy access itself, however, are the downstream attacks that residential proxy access facilitates. Threat actors who purchase residential proxy access often use that access to conduct attacks of their own, as the IP address associated with the attack will be different from the address they’re actually operating from.
Diagram of downstream attacks facilitated by BADBOX 2.0 residential proxy capability
Satori researchers observed a BADBOX 2.0-infected device in Satori’s lab attempting an account takeover attack. This attack demonstrates the downstream threat residential proxy creates:
Network activity capture from a BADBOX 2.0-infected device with a residential proxy active
Residential proxy use is not, in and of itself, fraudulent. But threat actors frequently use this tactic to hide information that might lead back to their identity; for example, in the account takeover (ATO) attack above, the attack appeared to come from the device in the Satori lab, instead of from the real threat actor who purchased access to the device’s IP address.
Programmatic Ad Fraud
There are two primary programmatic ad fraud schemes perpetuated by BADBOX 2.0-infected devices. One centers on hidden ads rendered on the device itself, while the other involves a vast network of HTML5 game websites visited by the devices in hidden WebViews. We’ll begin with the hidden ads threat.
Hidden Ads
Many BADBOX 2.0-infected devices come preinstalled with one or more launcher apps developed by LongTV. These apps, which behave as expected from a user’s perspective, contact a LongTV-operated C2 that side-loads code onto the device to request and render ads hidden from the user. The same C2 server was observed side loading additional apps to infected devices.
File being automatically downloaded and installed from file.long[.]tv
These additional apps behaved similarly to the preloaded ones, requesting and rendering hidden ads. Notably, these additional apps behave as “evil twins” to legitimate apps, similarly to the Satori investigation into the Konfety operation, published in July 2024.
Researchers identified 24 “evil twin” apps with corresponding apps in Google’s Play Store. The “evil twins” side loaded by the LongTV C2 share package names with “decoy twins” in the Play Store, giving the appearance of legitimate ad requests. Many of the “decoy twin” apps hosted in the Play Store have thousands of downloads but few, if any, reviews.
BADBOX 2.0-associated “decoy twin” app listings
These apps have more than 50,000 downloads but no reviews on their “decoy twin” listings. And though it bills itself as an app for mobile devices, nearly all the ad traffic HUMAN saw generated by “Earn Extra Income” and “Pregnancy Ovulation Calculator” originated from BADBOX 2.0-infected devices. (Notably, the “decoy twin” version of the app, if downloaded directly from the Play Store, contains none of the fraudulent modules.)
At its peak, the Hidden Ads ad fraud scheme within BADBOX 2.0 represented 5 billion fraudulent bid requests a week.
The Human Defense Platform is protecting customers from the impact of this threat.
Hidden WebViews/H5 Domains
Researchers also observed a complex scheme in which BADBOX 2.0-infected devices loaded hidden WebViews—think browser window—and navigated to one of a large number of websites hosting HTML5 games.
This scheme begins immediately after the backdoor is activated. The device retrieves a package—com.mz.sdk—from the C2 server. This package applies conditions to WebViews and ensures all submodules of the package also apply those conditions:
Entrypoint of com.mz.sdk
One of the submodules creates a new WebView and sends a request to the C2 server:
Request from new WebView
The server responds with a series of JavaScript instructions that prime the WebView to carry out a “playlist” of sorts, following a list of if-then actions.
C2 server response
Priming the WebView
These instructions are designed to make all the actions taken during the run of the “playlist” appear to be organic, making it harder for fraud fighters and advertisers to spot malicious activity. They include scrolling within the window, accepting cookies, clicking on elements on the page, and even visiting search engines before navigating to the H5 game sites to obscure the referrer information.
Once the WebView is primed, the C2 server sends new JavaScript with the playlist:
Screenshots of the JavaScript playlist and instructions for clicking and scrolling on an H5 gaming site
The playlist above navigates to one of the H5 game sites, where it follows one of several variations on the playlist, scrolling and clicking on specific pixels defined by the playlist.
Researchers found hundreds of these JavaScript-based playlists, each of which had several variations contained within the code, and each of which corresponded to a different H5 game site.
Many of the H5 game sites—of which there were hundreds—share the same general pattern: a homepage with tiles promoting web-based games, a navigation bar, and little else.
An H5 gaming site with a formulaic design
Clicking through to one of the games reveals what would be a frustrating experience for anybody intending to play the game:
An H5 game site rendering an in-game ad every few seconds
In-game ads pop up every few seconds, making gameplay impossible. The frequency of the ads reinforces two important notes about how the threat actors monetize this scheme:
CPMs—cost per mille, or the price for 1,000 ad renders—for in-game ads are higher than digital mobile ads (often as high as double), allowing for the publisher (the H5 game site owner) to receive more money per ad
There’s no realistic expectation of human eyes on these sites, as the gameplay is so frequently interrupted by ads
The threat actors also found alternative ways to monetize these sites. Several of the sites had subdomains with completely different content from the main site:
An H5 game site with a non-gaming version available, hiding content from advertisers
Satori researchers did not observe ads on the non-gaming versions of the H5 sites, but did observe code on those versions that would have enabled ads to be displayed:
A non-gaming version of an H5 site with an ad module
Notice the blank ad module in the H5 non-gaming site.
Additionally, researchers observed the threat actors abusing paid customizable search programs. Some search providers have programs that share paid search revenue derived from clicks with the publisher of a page participating in the program.
Some of the C2 JavaScript responses directed the hidden WebView to input a particular search string to the search engine, check whether the sponsored search result was present, and if it was, to click on that result.
Establishing a connection with app-goal before visiting a search engine
In the above screenshot, the JavaScript injected by the C2 is instructing the WebView to visit app-goal[.]com, a tool managed by the threat actors, and then to navigate to a major search engine. Once the WebView arrives on the search engine, the JavaScript connects with app-goal again in the background (using a JavaScript API called XHR that allows the WebView to retrieve information from app-goal without loading the page) to get a keyword for the search:
/Requesting a keyword from app-goal
The response from app-goal gives the WebView the keyword to search on:
The C2 server responds with a keyword
That response triggers the WebView to load a new page, with the URL seeded with the keyword:
The hidden WebView loading the URL seeded with the requested keyword
Finally, a page with the paid search program API installed loads and, using a piece of JavaScript code, clicks on the search result, triggering the payout to the threat actors:
The paid search cashout
Click Fraud
Lastly, Satori researchers reverse-engineered components of MoYu’s C2 responses to the botnet to find a click fraud capability. In a similar fashion to the JavaScript “playlist”-based approach described in the Hidden WebViews/H5 Domains section above, researchers uncovered JavaScript payloads that directed infected devices to visit MoYu-managed low-quality domains and to click on ads hosted there:
JavaScript payload identifying an ad on a threat actor-owned low-quality domain
JavaScript payload passing instructions to an infected device to click on a visible ad
Disrupting BADBOX 2.0
As the scale of BADBOX 2.0 became clear to Satori researchers, HUMAN’s disruption and disclosure plans began to take effect.
Much as we did in our 3ve investigation in 2018, HUMAN worked closely with Google both to establish the full scope of the threat BADBOX 2.0 posed and to carry out disruption actions.
With numerous advertising solutions, HUMAN offers protection against a variety of ad fraud schemes, including the hidden ads and hidden WebView/H5 attacks described above, as well as click fraud attacks where applicable. HUMAN’s suite of security products also protects against malicious bot attacks, including the types of account takeover and account fraud attacks facilitated by the BADBOX 2.0 residential proxy capability.
Google has taken action to prevent bad actors from attempting to monetize on its advertising platforms by terminating publisher accounts associated with BADBOX 2.0 from the Google Ad ecosystem. Google Play Protect, Android’s built-in malware and unwanted software protection, automatically warns users and blocks apps known to exhibit BADBOX associated behavior at install time on Play Protect certified Android devices with Google Play Services, even when apps come from sources outside of Play. Google Play Protect is on by default on Android devices with Google Play Services.
It’s important to note that the threat actors behind BADBOX and BADBOX 2.0 may adapt again and relaunch their operations. The disruption efforts led by HUMAN and partners cannot dismantle the supply chain that enables these threat actors to implant the backdoor into devices destined for consumer hands.
Users should limit their app downloads to official marketplaces to prevent downloading apps that appear to be familiar, but which may have been rebundled by threat actors to include dangerous additions.
Conclusion
In our BADBOX investigation, we wrote that although disrupting an operation with the size and scale of BADBOX is a positive, adaptation is an inevitability and research must continue in order to eliminate gaps in the supply chain that allowed for a threat like BADBOX to happen.
That remains true with the disruption of BADBOX 2.0. Though we can identify the threat actor groups behind the various components of the operation, a true takedown of this threat remains elusive, as the supply chain of compromised devices is still intact. Satori researchers will continue to monitor all the threat actors involved in BADBOX 2.0 for continued adaptation.
The BADBOX 2.0 threat in particular is compelling in no small part because of the open-season nature of the operation. With the backdoor in place, infected devices could be instructed to carry out any cyberattack a threat actor developed. The attacks researchers observed coming from BADBOX 2.0-infected devices were particularly lucrative in focus (advertising fraud and proxy services are among the most “productive” attacks for threat actors), but they’re not the only attacks possible with persistent privileged access.
Perhaps the key takeaway from the BADBOX 2.0 story is the number of disparate threat actor groups that got involved. This wasn’t an attack by a single threat actor, this was a collection of threat actors sharing resources; and not only were they sharing infrastructure from which to support the attack, they shared targets. It was an all-for-one, one-for-all sort of attack, a dark mirror version of the Human Collective.
Which in turn reinforces the role of organizations like the Human Collective. If threat actors are banding together to increase the sophistication of their attacks, their targets need to do the same to protect themselves from those ever-more-complicated threats.
HUMAN is uniquely positioned to protect customers from the full breadth of BADBOX 2.0 threats, which span the entire customer journey from advertising to website visit to login. And HUMAN’s research teams, including Satori, are constantly hunting for new and emerging threats, protecting customers before they can be affected.
Acknowledgements
Satori researchers would like to acknowledge the work of the following organizations, each of which contributed valuable insight into elements of BADBOX 2.0:
