A recent discovery by cybersecurity firm Human Security has revealed that more than 1 million off-brand Android devices manufactured in China have been infected with a Trojan. These compromised devices have made their way to consumers with a backdoor already installed in various gadgets, including TV streaming boxes and aftermarket car infotainment systems.
The infected devices, which are typically low-cost and generic off-brand models, have become a popular tool for cybercrime groups to carry out various scams, such as programmatic ad fraud, click fraud, and using the devices as residential proxies to hide malicious traffic. One such operation, known as “Badbox,” was first uncovered by Human Security in 2023 and has recently resurfaced despite efforts by the German government to dismantle parts of its infrastructure.
The majority of infected devices are located in South America, with Brazil bearing the brunt of the impact. Interestingly, the affected devices are not from well-known manufacturers but rather from obscure brands. Badbox 2.0, as the latest iteration of the threat actors is known, operates with distinct roles within the group, although there may be collaboration and overlap among them due to shared infrastructure and business connections.
The main method of infecting devices appears to be through an infiltrated supply chain, although some victims unwittingly downloaded infected copies of legitimate apps onto their devices. Operators of the scheme have created counterfeit versions of popular apps containing malware, which have been downloaded by over 50,000 users. To deceive victims, the malicious apps do not raise suspicions when downloaded from sources like the Google Play store, utilizing social engineering tactics to appear authentic.
One notable connection of Badbox 2.0 is to Longvision Media, a Malaysia-based internet and media company. Some of their LongTV streaming devices come preloaded with the Trojan, and the LongTV apps have hidden web browsers that redirect to sites hosting HTML5 games. These games, however, are not intended for actual gameplay but are designed to display ads at frequent intervals, generating revenue for the fraudsters. Advertisers pay a premium for in-game ads, allowing the operators of the fraudulent sites to profit even though no real users engage with the ads.
In addition to the ad fraud scheme, Lemon Group, a threat actor organization commonly associated with Badbox 2.0, utilizes the infected devices to provide residential proxy services. In response to this threat, Human Security, Trend Micro, Google, and the Shadowserver Foundation have collaborated to disrupt Badbox 2.0 by sinkholing internet traffic. While this intervention has temporarily hampered the operation, researchers caution that a more permanent solution is needed to eradicate the threat entirely.