BADBOX 2.0: The sequel no one wanted

The Satori Threat Intelligence and Research team discovered BADBOX 2.0, a complex, China-based operation that compromised off-brand devices.

HUMAN’s Satori Threat Intelligence and Research Team today published a report detailing the inner workings of BADBOX 2.0, a significant expansion and adaptation of the BADBOX operation published in October 2023. This operation, which HUMAN partially disrupted in collaboration with Google, Trend Micro, and other partners, affected over a million off-brand consumer devices worldwide and perpetuated several types of fraud.

What is BADBOX 2.0?

BADBOX 2.0 is a prime example of the interconnected nature of modern cyberattacks and how threat actors target the entire customer journey. Here’s the TL;DR on what Satori found and how the operation worked:

• BADBOX 2.0 is a multifaceted, China-based operation that begins with off-brand Android Open Source Project-powered devices (connected TVs, cellphones, tablets, digital projectors, and aftermarket car infotainment systems) with a backdoor installed. This allows threat actors to deploy fraud modules. 
• Satori researchers estimate that BADBOX 2.0 infected more than 1 million consumer devices across 222 countries and territories, up from 74,000 in the original BADBOX. The greatest number of infected devices—which consumers cannot fix themselves—are found in Brazil, followed by the US, Mexico and Argentina.

  

• BADBOX 2.0 is the largest botnet of infected connected TV devices ever uncovered.
• Researchers believe several threat actor groups participated in BADBOX 2.0, each contributing to parts of the underlying infrastructure and/or the fraud modules monetizing infected devices. The threat actors share elements of the infrastructure powering the scheme, suggesting cooperation and collaboration among the groups.
• BADBOX 2.0-infected devices perpetuated multiple types of fraud, including:
  • Programmatic ad fraud (centered on hidden ads and WebViews)
  • Click fraud involving low-quality domains
  • Residential proxy node creation, which resulted in downstream account takeover, fake account creation, credential stealing, sensitive information exfiltration, and DDoS attacks

Satori researchers have shared information about BADBOX 2.0 and the threat actors with law enforcement. 

For detailed information about the operation, including lists of infected device models, ad-heavy gaming websites, and decoy twin apps, please consult the full report.

Bigger and badder BADBOX

Perhaps one of the most challenging aspects of BADBOX 2.0 is not just that ordinary consumers were targeted by the operation, but that it might be difficult for those consumers to sense that something was awry with the devices they purchased. In most of the fraud schemes perpetrated by the threat actors, the malicious behavior happened in the background, out of sight of the users whose devices were commandeered for fraud.

In that way, BADBOX 2.0 might serve as a reminder to consumers to buy only devices with familiar brand names, and buy/download apps only from official app marketplaces. Users can check if their devices are Google Play Protect-certified, as certified devices warn users and block apps with BADBOX 2.0-associated behavior.

Satori researchers uncovered BADBOX 2.0 during a testing phase, as it used tactics, techniques, and procedures (TTPs) similar to BADBOX. Researchers believe the adaptation may be in response to the original campaign’s exposure by HUMAN. While there’s much in common with the original BADBOX operation, new mechanisms for deploying the backdoor, new types of fraud, and new and more intensive obfuscation techniques exist.

HUMAN obtained a unique understanding of the BADBOX 2.0 operation and infrastructure and tracked the threat as it evolved, allowing us to protect our customers before many fraud schemes were launched. 

Thinking outside the BADBOX

With more than a million infected devices worldwide, the BADBOX 2.0 operation has a massive reach. Many of those devices were pre-infected, but some got BADBOXified by unsuspecting consumers who downloaded an app from an unofficial app store, only to have the backdoor come along for the ride.

Android device users who want to protect themselves from threats like BADBOX 2.0 can take proactive measures such as the following:

• Download apps only from official marketplaces.
• Purchase only Google Play Protect-certified Android devices.
• Avoid off-brand devices like the ones impacted by both BADBOX 1 and 2.

HUMAN continues to work closely with Google and other partners to reduce the proliferation of BADBOX 2.0 so we can stop a three-quel from ever being made.

To learn more about BADBOX 2.0, read the full technical report here.