BADBOX 2.0, a major botnet involved in ad fraud and residential proxy abuse, has infected around one million Android devices, including tablets, connected TV boxes, and car infotainment systems. The botnet is linked to four cybercriminal groups: SalesTracker Group, MoYu Group, Lemon Group, and LongTV, which share infrastructure and business ties.
The botnet begins by installing backdoor malware on consumer devices, which are then used for fraudulent activities such as generating fake ad revenue, click fraud, and offering illicit proxy services. The malware also supports cybercrimes like account takeovers and DDoS attacks. Most infected devices are manufactured in China and shipped globally, with the highest infection rates in Brazil, the U.S., Mexico, and Argentina.
The malware, known as Triada, spreads through pre-installed components, remote servers, and trojanized apps from third-party stores. Google has removed 24 apps from the Play Store involved in the scheme, and some of the botnet’s infrastructure was taken down by the German government in December 2024.
This latest iteration of BADBOX represents a more sophisticated cybercrime operation, with methods like modifying legitimate Android libraries for persistence and using infected apps to spread the malware. The discovery comes after Google also removed over 180 apps linked to a separate ad fraud scheme.
