Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes
Essential information
- Published
- 06/06/2025 20:22
- Modified
- 08/06/2025 19:35
- Tags
- 2025-06-06 ad fraud android badbox bb2door botnet consumer devices ctv iot residential proxy vo1d
- Related entities
- 200 observables, 5 techniques (mitre), 8 others
Description
HUMAN's Satori team uncovered and partially disrupted BADBOX 2.0, a complex fraud operation targeting over 1 million low-cost consumer devices worldwide. The scheme involves a backdoor pre-installed on devices or distributed through unofficial app marketplaces, allowing threat actors to conduct various fraudulent activities. These include selling residential proxy services, ad fraud through hidden ads and WebViews, and click fraud. Four main threat actor groups were identified: SalesTracker, MoYu, Lemon, and LongTV. The operation affects Android Open Source Project devices in 222 countries, with Brazil being the most impacted. Disruption efforts involved collaboration with Google and other partners to mitigate the threat's impact.