“Satori identified more than 1 million devices that were infected in Badbox 2.0, up from the 74,000 in the original Badbox scheme,“ Human added.
Badbox 2.0 operates multiple frauds
Badbox 2.0 infiltrates low-cost consumer devices with backdoors, allowing threat actors to remotely deploy fraud modules.
These devices connect to actor-controlled C2 servers to, on activation, potentially carry out multiple attacks, including programmatic ad fraud, click fraud, and residential proxy servers — which in turn facilitate attacks like account takeover, fake account creation, DDoS, malware distribution, and one-time-password (OTP) theft.
“Badbox 2.0 threat actors also operated over 200 re-bundled and infected versions of popular apps listed on third-party marketplaces and served as an alternative backdoor delivery system,“ researchers added. Of these, the team identified 24 “evil twin” apps with corresponding “decoy twin” apps on the Play Store, through which ad fraud is conducted.
