The BADBOX 2.0 Operation
BADBOX is back and it’s badder than before. HUMAN’s Satori Threat Intelligence and Research Team uncovered a major expansion and adaptation to the original threat. Let’s unbox BADBOX 2.0.
What’s New with BADBOX 2.0?
Threat actors expanded device targeting, infecting phones, tablets, connected TV (CTV) boxes, digital projectors, and aftermarket car infotainment systems.
More devices, more fraud: BADBOX 2.0 infected more than a million consumer devices worldwide, up from 74,000 in the original BADBOX operation.
Infected devices perpetrated several kinds of fraud, including ad fraud, click fraud, and attacks enabled by residential proxy capabilities.
How did BADBOX 2.0 spread?
Consumer devices were infected in one of three ways:
-
Some devices were infected before shipping to consumers
-
Others automatically connected the threat actors’ servers on first booting up and got infected that way
-
Still others were infected when unsuspecting users downloaded infected apps from unofficial app marketplaces
What did BADBOX 2.0 do?
Infected devices requested and clicked on ads where users couldn’t see them and were used as tools for threat actors to carry out other cyberattacks, like account takeover, DDoS, and spreading malware.
24 | Ad fraud laundering apps
955 | Cashout gaming sites used
How big is BADBOX 2.0?
BADBOX 2.0’s impact is global, with more than 1 million devices infected in 222 countries and territories.
8,680/second | Fake bid requests at peak
How to protect yourself
Tips for avoiding schemes like BADBOX 2.0:
• If buying an Android device, ensure it’s Play Protect-certified.
• Download apps only from official app marketplaces.
• Avoid off-brand devices like the ones targeted by BADBOX 2.0
Talk with a Human to learn more about how we can protect your organization from threats like BADBOX 2.0.
Be the first to see our next takedown.
