BADBOX 2.0 Botnet Weaponizes Uncertified Devices for Proxies, Fraud, and Credential Theft

Threat Group: SalesTracker Group, MoYu Group, Lemon Group, LongTV
Threat Type: Android Malware Botnet
Exploited Vulnerabilities: Supply chain compromises, malicious third-party apps, uncertified Android devices
Malware Used: BB2DOOR (variant of Triada)
Threat Score: 🔥 Critical (9.1/10)
Last Threat Observation: June 7, 2025

Overview

BADBOX 2.0 is a critical evolution of a previously disrupted Android malware campaign, now representing a global cybercrime threat. First identified in 2023 and rapidly evolving post-disruption in late 2024, this campaign has infected over one million Android-based devices globally. Leveraging deep supply chain compromises and widespread distribution through malicious apps and drive-by downloads, BADBOX 2.0 creates a persistent, monetized botnet.

The malware targets uncertified Android Open Source Project (AOSP) devices, including smart TVs, tablets, and other IoT hardware, particularly low-cost electronics manufactured in China. Its use of BB2DOOR, a Triada-based backdoor, ensures deep integration and persistence.

Its global reach and multilayered attack strategy make BADBOX 2.0 a formidable challenge for individuals, organizations, and governments. At its core are four interconnected threat groups, each managing a segment of the infrastructure or monetization.

Key Details

• Delivery Method: Supply chain compromise, malicious third-party applications, drive-by downloads
• Primary Targets: Low-cost AOSP devices (e.g., CTVs, projectors, infotainment systems)
• Botnet Size: Over 1 million devices across 222 countries
• Peak Fraud Volume: 5 billion bid requests weekly
• Groups Involved: SalesTracker (C2), MoYu (BB2DOOR dev & proxy sales), Lemon (ad fraud), LongTV ("evil twin" adware apps)
• Geography: Major infections in Brazil (37.6%), U.S. (18.2%), Mexico (6.3%), Argentina (5.3%)

Obfuscation & Persistence:

• Malicious library: libanl.so
• Obfuscated C2 calls, modified XXTEA encryption, modified system libraries

Attack Vectors

BADBOX 2.0 utilizes a layered infection strategy, targeting both the digital supply chain and individual user behavior to maximize its reach and stealth:

1. Pre-installed Malware (Supply Chain Compromise):
   • Devices are shipped with BB2DOOR already embedded in the firmware. This ensures infection upon first boot without any user interaction.
   • Primarily affects uncertified devices from lesser-known manufacturers with limited quality assurance or vetting procedures.
   • Often advertised as "unlocked" devices with enhanced features such as free streaming, making them attractive to budget-conscious consumers.
2. Malicious Third-Party Applications:
   • Over 200 known "evil twin" applications mimic popular apps but contain hidden backdoors.
   • These apps are distributed via third-party app stores and websites that lack security screening processes.
   • Users seeking modified or free versions of popular apps are particularly at risk.
3. Drive-by Downloads:
   • Leveraged through compromised websites or fraudulent ads.
   • Simply visiting a malicious site can trigger an automatic download of the malware, exploiting browser vulnerabilities or misleading users into granting permissions.
   • These tactics are increasingly common in mobile-focused malvertising campaigns.
4. Hidden App Installers & Content Applications:
   • BADBOX 2.0 also spreads through built-in content delivery systems on infected devices.
   • Fake update prompts or media suggestions can install secondary payloads when accepted by the user.
5. Rogue OTA (Over-The-Air) Updates:
   • In some cases, manufacturers or distributors push rogue OTA updates embedding BB2DOOR post-sale.
   • These updates appear legitimate and are difficult for users to distinguish from safe system maintenance.
6. Local ADB Exploits (Advanced):
   • While less common, there is emerging evidence of infected devices exploiting Android Debug Bridge (ADB) when exposed, potentially compromising devices on the same network.

This multifaceted vector strategy demonstrates BADBOX 2.0's adaptability and the critical need for defenses that account for both pre-purchase integrity and post-sale user behavior.

Indicators of Compromise (IoCs)

Device Models Targeted by Threat Actors

C2 Domains

Mitigation and Prevention

• Procurement Policies:
  • Use only Google Play Protect-certified Android devices
  • Conduct supply chain security audits
• Network Security:
  • Segment IoT networks
  • Monitor for unusual DNS/C2 traffic
  • Deploy behavioral analytics
• Application Security:
  • Enforce official app store usage
  • Vet apps in BYOD environments
• User Awareness:
  • Educate on unofficial app risks
  • Discourage "free streaming" devices
• Incident Response:
  • Deploy Android EDR tools
  • Build playbooks for Android/IoT response
  • Prepare for firmware re-flash or device replacement

Risk Assessment

Severity: Critical
Impact:

• Financial losses through ad fraud and proxy abuse
• Privacy breaches via credential theft and OTP harvesting
• Operational disruption via DDoS and reputational damage
• Difficult remediation requiring device re-flashing or replacement

Conclusion

BADBOX 2.0 exemplifies a modern, persistent Android threat combining deep supply chain infiltration, organizational criminal cooperation, and advanced malware engineering. With multiple revenue streams and resilience strategies, it poses an enduring risk to organizations and end users worldwide. Preventing future infections requires a shift to proactive supply chain validation, enforced procurement policies, and sustained behavioral monitoring.

Sources

• HUMAN Security –The BADBOX 2.0 Operation
• Dark Reading - BADBOX 2.0 Targets Home Networks, FBI Warns
• BleepingComputer - FBI: BADBOX 2.0 Android malware infects millions of consumer devices