A new variant of the Badbox malware, now dubbed Badbox 2.0, has been detected on up to a million backdoored Android devices—spreading across cheap hardware and third-party app stores to launch massive ad fraud campaigns.
Key Points at a Glance:
- Badbox 2.0 infects up to a million Android devices, doubling its 2023 reach.
- The botnet exploits off-brand devices and third-party app stores to spread malware.
- Fraudulent ad clicks and views are concealed among legitimate traffic.
- The operation appears orchestrated by multiple criminal groups collaborating.
- Efforts by security firms and tech giants have already halved the active infections.
Security researchers from Human Security’s Satori team have uncovered a new variant of the notorious Badbox botnet, which now leverages up to a million infected Android devices to perpetrate widespread ad fraud. This resurgence marks a significant escalation from the initial outbreak in 2023, where around 74,000 devices—mainly off-brand internet-connected TV boxes—were compromised.
Badbox 2.0 specifically targets devices running the Android Open Source Project (AOSP). It has been found on cheap off-brand smartphones, additional internet-connected TV boxes, tablets used in vehicles, and even digital projectors. The malware spreads through supply chain manipulations: criminals purchase inexpensive hardware, rebrand it, install the malicious software—often embedded either in the firmware or bundled with popular apps from third-party stores—and then resell the tainted products. More than 200 apps on third-party Android app stores have been identified as “evil twins” of legitimate applications, deceiving users into unwittingly downloading and installing the malware.
Gavin Reid, CISO at Human Security, explained that the botnet’s operators have expanded both the range of targeted devices and the sophistication of their fraud schemes. “The Badbox 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the types of devices targeted, the number of devices infected, and the complexity of the fraud conducted,” he said.
Once active, the malware directs infected devices to conduct ad fraud by generating fraudulent ad clicks and views—traffic that blends into normal residential internet activity, thereby evading detection by traditional ad fraud prevention systems. The malware even goes as far as stealing passwords entered into compromised hardware. While the botnet could theoretically be used for denial-of-service attacks, its operators seem intent on keeping a low profile to avoid drawing attention.
Collaborative efforts among Human Security, Google, Trend Micro, and the non-profit Shadowserver Foundation have already disrupted the botnet, cutting the number of active infections by about half. However, security experts warn that the perpetrators are likely to adapt their tactics, given that many of the malware modules are currently labeled “test”—suggesting the botnet is still in its nascent stages.
For users, this serves as a stark reminder: buying cheap, off-brand hardware and downloading apps from third-party stores significantly increases the risk of infection. Taking precautions can help avoid becoming an unwitting participant in such large-scale ad fraud networks.
