Malware-Infested Android Devices Fuel Global Botnet Fraud

A botnet infected more than 1 million off-brand Android devices manufactured in China reached consumers with a backdoor already installed in gadgets ranging from TV streaming boxes to aftermarket car infotainment systems.

See Also: OnDemand Webinar | Securing Your OT Environment: 5 Key Measures for Third-Party Remote Access

Low cost Android devices made in China and infected with a backdoor during their traversal across a murky supply chain are a known vector for cybercrime groups to commit a range of scams including programmatic ad fraud, click fraud and converting the devices into a residential proxy that hackers use to hide malicious traffic.

Cybersecurity firm Human Security in 2023 uncovered an operation dubbed “Badbox” infecting Android devices – and on Wednesday, said the group has resumed operations despite the German government taking down a large chunk of is infrastructure last December (see: German BSI Disrupts Android Malware Infecting IoT Devices).

Most infected devices are concentrated in South America, with Brazil being the hardest hit. The affected devices are typically generic, off-brand models rather than those from well-known manufacturers such as “TV98” or “GameBox.”

Badbox, now Badbox 2.0, is really a set of threat actors who each play a distinct role, although there’s likely collaboration or overlap between them since they share infrastructure and have business ties.

An infiltrated supply chain appears to be the main method of infecting devices, although some victims inadvertently downloaded malicious copies of brand-name apps onto their devices. Operators put up “evil twin” versions of apps laced with malware, apparently garnering more than 50,000 downloads. Versions of the app that appear on the Google Play store aren’t malicious, a technique used for social engineering victims into believing that the app is benign no matter its download source.

One component of Badbox 2.0 may have ties to Longvision Media, a Malaysia-based internet and media company. Some of its LongTV streaming devices are preinstalled with the backdoor and LongTV aps on the devices have launched hidden web browsers to connect to sites hosting HTML5 games. The games aren’t really designed to be played – they’re designed to serve ads, which appear every few seconds, “making gameplay impossible.” Advertisers pay a premium for in-game ads, so owners of the fraudulent game sites receive more money per ad, despite no human ever seeing them. Human Security wrote that the fake game sites are operated by threat actors commonly tracked as “Lemon Group.”

LongTV-developed apps also feature in the “evil twin” scam. Lemon Group additionally uses BoadBox 23.0 devices to offer residential proxy services.

Human Security, Trend Micro and Google, in collaboration with the Shadowserver Foundation, worked to disrupt Badbox 2.0 by sinkholing the internet traffic. Researchers warned that they likely didn’t put a permanent stop to the operation.