HUMAN Exposes BADBOX 2.0 Scheme Infecting 1 Million Off-Brand Android Open Source Project Devices

The complex China-based operation involving backdoored devices and multiple types of fraud evolved from a 2023 BADBOX scheme disclosed and disrupted by HUMAN researchers

NEW YORK, NY — March 5, 2025 — HUMAN Security, Inc., the global cybersecurity leader in disrupting bot attacks and preventing digital fraud and abuse, announced today that in collaboration with Google, Trend Micro, The Shadowserver Foundation, and other partners, its Satori Threat Intelligence and Research Team has uncovered BADBOX 2.0, the largest botnet of infected connected TV (CTV) devices ever uncovered and disclosed. This multifaceted operation involves backdoored off-brand and uncertified Android Open Source Project-powered devices and builds upon an earlier scheme, BADBOX, disrupted in October 2023. Satori identified more than 1 million devices that were infected in BADBOX 2.0, up from the 74,000 in the original BADBOX scheme. 

“The BADBOX 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted, the number of devices infected, the different types of fraud conducted, and the complexity of the scheme,” said Gavin Reid, CISO of HUMAN. “This operation embodies the interconnected nature of modern cyberattacks and how threat actors target the customer journey and demonstrates why businesses require full-spectrum protection from the impacts of digital fraud and abuse.”

HUMAN has been closely following the BADBOX actors and corresponding malware since the publication of the original report in October 2023. HUMAN observed updates and adaptations to the malware and followed these leads to uncover the entire operation. Researchers believe several threat actor groups participated in BADBOX 2.0, each contributing to parts of the underlying infrastructure or the fraud modules that monetize the infected devices, including programmatic ad fraud, click fraud, proxyjacking, and creating and operating a botnet across 222 countries and territories. HUMAN continues to investigate additional paths to disruption with Google, Trend Micro, Shadowserver, other partners, and law enforcement.  

“We appreciate collaborating with HUMAN to take action against the BADBOX operation and protect consumers from fraud,” said Shailesh Saini, Director of Android Security & Privacy Engineering & Assurance, Google. “The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. Users should ensure Google Play Protect, Android’s malware protection that is on by default on devices with Google Play Services, is enabled.”  

BADBOX 2.0 perpetuates four types of fraud:

1. Programmatic ad fraud of multiple varieties, including hidden ads rendered by preinstalled apps and hidden WebViews launched that navigate to a collection of ad-heavy gaming sites.
2. Click fraud, which occurs when automated traffic from infected devices visits low-quality domains and clicks on ads, draining advertiser budgets. 
3. Residential proxy node creation, in which traffic is routed through an infected device’s IP address through a network owned and operated by the threat actors.
4. Account takeover, fake account creation, credential stealing, sensitive information exfiltration, and DDoS attacks, all perpetuated by downstream threat actors to whom the residential proxy services were sold.

BADBOX 2.0 threat actors also operated over 200 re-bundled and infected versions of popular apps listed on third-party marketplaces and serving as an alternative backdoor delivery system. Satori researchers identified 24 “evil twin” apps with corresponding “decoy twin” apps on the Play Store, through which ad fraud is conducted; at its peak, the evil twin apps accounted for 5 billion fraudulent bid requests a week. BADBOX 2.0 actors operated a network of nearly 1000 ad-heavy gaming websites, which are used as a cashout mechanism.

“It takes a proactive approach to protect consumers and businesses from such a sophisticated cyber scheme like BADBOX 2.0,” said Lindsay Kaye, Vice President of Threat Intelligence at HUMAN. “Some of the fraud modules uncovered by Satori researchers had not yet been launched and may have been planned for future attacks. It’s critical to work with a cybersecurity partner that can monitor threat actors long after a threat is disclosed and protect against the type of adaptations seen in BADBOX 2.0.”

HUMAN’s Ad Fraud Defense protects clients, partners and customers against a variety of ad fraud schemes, including the hidden ads and hidden WebView attacks uncovered in BADBOX 2.0. HUMAN Account Takeover Defense also protects organizations against malicious bot account takeover and account fraud attacks, including the types facilitated by the BADBOX 2.0 residential proxy capability. To learn more about the BADBOX 2.0 operation and for a list of device models affected by BADBOX 2.0, visit the HUMAN blog and read the full technical report.

About HUMAN

HUMAN is a leading cybersecurity company committed to protecting the integrity of the digital world. We ensure that every digital interaction, transaction, and connection is authentic, secure, and human. Our Human Defense Platform safeguards the entire customer journey with high-fidelity decision-making that defends against bots, fraud, and digital threats. Each week, HUMAN verifies 20 trillion digital interactions, providing unparalleled telemetry data to enable rapid, effective responses to even the most sophisticated threats. Recognized by our customers as a G2 Leader, HUMAN continues to set the standard in cybersecurity. To ensure your digital connections are trusted, visit www.humansecurity.com 

Contact information:
Masha Krylova, Director of Communications
press@humansecurity.com