In the latest cybercrime revelation, an updated version of the massive ad fraud and residential proxy scheme known as BADBOX has been linked to four distinct threat actors – SalesTracker Group, MoYu Group, Lemon Group, and LongTV. This interconnected ecosystem has been uncovered by the HUMAN Satori Threat Intelligence and Research team in collaboration with Google, Trend Micro, Shadowserver, and other partners. BADBOX 2.0 is described as the largest botnet of infected connected TV (CTV) devices ever discovered.
The fraudulent operation involves backdoors on consumer devices that allow threat actors to remotely load fraud modules, communicating with command-and-control servers operated by the collaborating threat actors. These threat actors utilize various methods to distribute malicious applications disguised as benign ones to infect devices and applications with backdoors. The infected devices become part of a botnet used for programmatic ad fraud, click fraud, and illicit residential proxy services.
As many as one million devices, including inexpensive Android tablets, CTV boxes, digital projectors, and car infotainment systems, have fallen victim to BADBOX 2.0. The infections are primarily reported in Brazil, the United States, Mexico, and Argentina. The operation has been disrupted multiple times, with Google removing malware-infected apps from the Play Store and German authorities taking down part of the infrastructure.
The core of the operation, based on the Android malware Triada, operates under the codename BB2DOOR. It is spread through pre-installed components, remote server downloads, and trojanized versions of popular apps. Different threat groups are responsible for various aspects of the scheme, such as programmatic ad fraud, residential proxy services, and other cybercrimes. The attacks have evolved to include infected apps from third-party stores and a more sophisticated version of the malware for persistence.
The interconnected nature of the threat actors and the evolving tactics of the operation make BADBOX 2.0 a significant cyber threat. This discovery comes amidst Google’s removal of over 180 Android apps involved in ad fraud and the emergence of new campaigns deploying Android banking malware. The cybersecurity landscape continues to face challenges from sophisticated cybercrime operations.
Source link