Full Report
At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX, painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in
Analysis Summary
# Threat Actor: BADBOX 2.0 Ecosystem (SalesTracker Group, MoYu Group, Lemon Group, LongTV)
## Attribution & Identity
This is a complex, interconnected cybercrime ecosystem involving at least four distinct but cooperative threat actors orchestrating the massive **BADBOX 2.0** ad fraud and residential proxy scheme.
* **Primary Actors Identified:** SalesTracker Group, MoYu Group, Lemon Group, and LongTV.
* **Known Association:** SalesTracker Group is connected to the original BADBOX operation.
* **Backdoor Core:** The core backdoor, Codenamed **BB2DOOR**, is attributed primarily to **MoYu Group**, showing potential evidence of overlap with the **Vo1d** malware.
## Activity Summary
BADBOX 2.0 is described as the largest botnet of infected Connected TV (CTV) devices ever uncovered. The operation focuses on leveraging infected low-cost consumer devices to execute various forms of fraud and abuse.
* **Initial Compromise:** Infection begins via backdoors loaded onto devices, often distributed through hardware supply chain compromises, third-party marketplaces, or trojanized applications.
* **Core Activities:** Programmatic ad fraud, click fraud, and offering illicit residential proxy services.
* **Specific Abuses:** Hidden ads/WebViews for fake ad revenue, navigation to low-quality domains, routing traffic for Account Takeover (ATO), fake account creation, malware distribution, and DDoS attacks.
* **Recent Disruption:** Partially disrupted twice in three months, including sinkholing of several BADBOX 2.0 domains and the removal of 24 associated apps from the Google Play Store by Google. The German government previously took down a portion of the infrastructure.
## Tactics, Techniques & Procedures
The TTPs center around device compromise and maintaining persistent backdoor access on Android Open Source Project (AOSP) devices.
* **Infection Vector:** Distributing malware disguised as benign applications via third-party app stores (over 200 trojanized apps identified).
* **Persistence/Propagation (BB2DOOR):** The mechanism for propagation involves three methods: pre-installed components, components fetched from remote servers upon first boot, and download via trojanized apps.
* **Evasion:** Modifying legitimate Android libraries to establish persistence.
* **Proxy Abuse:** Routing external traffic through compromised devices for malicious use (ATO, DDoS).
* **Ad Fraud:** Launching hidden WebViews and navigating to low-quality domains to generate fake ad revenue.
* **Actor Specific TTPs:**
* **MoYu Group:** Oversees the core BB2DOOR backdoor and advertises proxy services.
* **SalesTracker Group:** Monitors infected devices and is linked to the original BADBOX campaign.
* **Lemon Group:** Manages residential proxy services and runs ad fraud campaigns on HTML5 game websites.
* **LongTV:** Utilizes an "evil twin" approach across two dozen of its apps for ad fraud.
## Targeting
* **Sectors:** Primarily targets owners of low-cost consumer electronics, impacting digital advertising ecosystems.
* **Geography:** Infections reported globally, with the highest concentrations in:
* Brazil (37.6%)
* United States (18.2%)
* Mexico (6.3%)
* Argentina (5.3%)
* **Victims:** Estimated up to one million infected devices, including inexpensive Android tablets, Connected TV (CTV) boxes, digital projectors, and car infotainment systems manufactured in mainland China. The devices are generally AOSP, not Play Protect certified Android TV OS devices.
## Tools & Infrastructure
* **Malware Families Used:** BB2DOOR (the core backdoor), which is based on the Android malware **Triada**. Overlaps suggested with **Vo1d** malware.
* **Infrastructure:** Relies on Command-and-Control (C2) servers owned and operated by the cooperative threat actors. Domains used for initial communication have been subject to sinkholing operations.
## Implications
The BADBOX 2.0 scheme represents an "open-season" environment for cybercrime due to the nature of the compromise. Once the sophisticated backdoor (BB2DOOR) is established on a device, the actors have significant control (akin to root access) to instruct the device to carry out *any* cyber attack they develop, far exceeding simple ad fraud. The cooperation between distinct groups suggests a mature, modular cybercrime business model.
## Mitigations
* **Device Vetting:** Organizations and consumers should prioritize devices running Play Protect certified Android OS, as these undergo security and compatibility testing that AOSP devices may lack.
* **Supply Chain Diligence:** Increased scrutiny on the provenance and pre-installed software on low-cost consumer electronics, especially those manufactured in China.
* **Application Source Control:** Avoid installing applications from third-party app stores, as this was a primary distribution vector for trojanized apps associated with the scheme.
* **Network Monitoring:** Monitor network egress traffic from IoT/CTV devices for unusual outbound activity indicative of proxy usage or participation in DDoS attacks.