Research teams from various cybersecurity firms have uncovered that a recent campaign appears to originate from a loosely organized network of fraud groups instead of a single perpetrator. Each participating group operates its own variations of the Badbox 2.0 backdoor and associated malware modules, distributing these threats through diverse methods. In several instances, malicious applications are found preinstalled on compromised devices. However, many of the tracked instances involved attackers deceiving users into inadvertently installing the compromised software.
One notable tactic identified by researchers involves the creation of seemingly harmless applications, such as games, which are uploaded to Google’s Play Store to give a veneer of legitimacy. Scammers then entice users to download nearly identical, malicious versions of these apps from unofficial sources. Researchers report that at least 24 instances of such “evil twin” apps have been detected, facilitating ad fraud in the legitimate Google Play versions and spreading malware through the counterfeit applications. Furthermore, Human, a cybersecurity firm, discovered that the fraud groups have distributed over 200 re-bundled versions of popular applications, further extending their reach.
Lindsay Kaye, Vice President of Threat Intelligence at Human, noted that four distinct fraud modules have been observed: two targeting ad fraud, one designed for fake clicks, and another exploiting residential proxy networks. Kaye indicated the modular nature of these operations suggests the potential for further development and new relationships, thus enabling the addition of more malware functionalities.
The Badbox 2.0 investigation has seen collaboration between Human and Trend Micro, with a focus on understanding the actors behind this malicious activity. Fyodor Yarochkin, a senior threat researcher at Trend Micro, emphasized the immense scale of the operation, suggesting that there could be upwards of a million devices currently compromised and likely even more if all suspected devices with payloads were accounted for.
Yarochkin further explained that many of the groups involved appear to have ties to Chinese gray-market advertising and marketing firms. He recounted that over a decade ago, numerous legal cases in China highlighted instances where companies had embedded “silent” plugins on devices for various fraudulent activities. According to Yarochkin, the entities that have continued to thrive since that time have adapted their methodologies to survive.
Through ongoing investigations, Yarochkin identified multiple business entities in China that may be connected to the Badbox 2.0 campaign, revealing both economic and technical ties. The researchers were able to ascertain addresses, visualize office environments, and track employees through professional networking platforms, further solidifying the connections between these groups.
In a collaborative effort, Human, Trend Micro, and Google partnered with the Shadow Server internet security group to disrupt the Badbox 2.0 infrastructure by sinkholing its botnet activity, effectively redirecting its communications into an inactive void. However, experts caution that as scammers adapt following exposure, the disruption of Badbox 2.0 is unlikely to eliminate these malicious activities permanently.
Yarochkin advises consumers to maintain vigilance when purchasing devices that seem suspiciously inexpensive, reiterating the wisdom that there is often no such thing as a free lunch. This caveat emphasizes the importance of thorough scrutiny for potential hidden threats associated with discounted electronics.
In considering the tactics employed in these operations, several techniques mapped to the MITRE ATT&CK framework could be relevant, including initial access through compromised applications, persistence via malware installations, and the potential for privilege escalation as these fraud groups further entrench their operations on infected devices. Business owners should remain aware of these evolving threats to safeguard their digital environments against persistent cyber risks.
