HUMAN’s Satori Threat Intelligence Team uncovered BADBOX 2.0, a massive escalation in cyber fraud infecting over a million devices worldwide—targeting everything from off-brand smart TVs to Android tablets. In this Q&A, HUMAN’s CISO, Gavin Reid, discusses how cybercriminals have leveled up their tactics, why advertisers should be concerned, and what can be done to fight back.
Two years ago, HUMAN’s Satori Threat Intelligence Team uncovered BADBOX 1.0, a novel threat using ‘evil twin’ apps to execute ad fraud. But as HUMAN worked to disrupt the scheme, cybercriminals evolved their tactics. Through continued vigilance, HUMAN uncovered BADBOX 2.0—a more dangerous operation that represents a massive escalation, with highly sophisticated malware now infiltrating off-brand connected TVs, tablets, and various Android devices across the digital ecosystem.
The operation’s scale is staggering, growing from approximately 70,000 infected devices in the original scheme to over one million in BADBOX 2.0. These compromised devices now power a criminal enterprise that spans programmatic ad fraud, click fraud, illegal residential proxy services, and even account takeovers.
AdMonsters spoke with Gavin Reid, HUMAN’s CISO, who led the investigation into this sophisticated operation to understand its impact on advertisers and the efforts to combat it.
AdMonsters: While investigating BADBOX 1, HUMAN discovered a new round of fraud, which you’re calling BADBOX 2.0. What is BADBOX 2.0, and how does it differ from the original BADBOX?
GR: BADBOX 2.0 is a significant expansion and adaptation of the original BADBOX operation, which we first uncovered in 2023. When we investigated BADBOX 1, we saw a more straightforward structure in which a single backdoor, known as Triada, was used to infect devices.
This malware was pre-installed on devices at the manufacturing stage. Having one backdoor made it easier to spot and disrupt. It was relatively straightforward in its operation, and fewer devices and device types were involved.
AdMonsters: I remember talking to Lindsey Kaye about BADBOX, and it didn’t seem that straightforward. It sounded like a sophisticated scheme by the threat actors to obfuscate their activities.
GR: That’s true, but BADBOX 2.0 is far more complex and widespread. The threat actors have expanded their fraud operation, targeting various devices—off-brand, uncertified Android Open Source Project (AOSP) devices. These included connected TV boxes, tablets, and even aftermarket car infotainment systems.
What makes BADBOX 2.0 different is the sheer scale and diversity of the devices infected. Instead of a single malware type, we’re now dealing with hundreds of different variants, which makes it harder to spot and disrupt.
AdMonsters: Are the threat actors using the same methods in BADBOX 2.0 as they did in BADBOX
GR: BADBOX 2.0 is a much more sophisticated and targeted operation than BADBOX 1. The threat actors have significantly adapted and expanded their methods.
One key difference is the diversification of their attack strategies. They no longer rely on one factory backdoor and have added drive-by downloads or infected apps from third-party app stores. They’ve also increased the sophistication of their malware, deploying multiple variants and using new tactics to disguise their activities, which makes it harder to spot.
Beyond the typical programmatic ad fraud seen in BADBOX 1, we’re now also seeing click fraud, where infected devices generate fake clicks on ads, driving up advertisers' costs.
In addition, the scope of the operation has grown substantially. Over a million devices are affected now, compared to just around 70,000 with BADBOX 1. This growth highlights how much more widespread and effective the operation has become.
The fraud itself is also more advanced. Beyond the typical programmatic ad fraud seen in BADBOX 1, we’re now also seeing click fraud, where infected devices generate fake clicks on ads, driving up advertisers’ costs. Like in BADBOX 1, these devices are still being used for residential proxy services, which allow cybercriminals to disguise their activities behind what appears to be legitimate user traffic.
AdMonsters: Can you walk us through some of the scams and fraud tactics used in BADBOX 2.0? How does it affect advertisers and publishers?
GR: Similar to BADBOX 1, the infected devices are still used for residential proxy services, allowing cybercriminals to hide their activities behind legitimate user traffic.
There’s also a significant component where they’re directing traffic to H5 game sites. If you visit one of these sites, the games are nearly impossible to play. But, in the background, these infected devices automatically play these games and generate revenue for the criminals.
BADBOX 2.0 also lets the threat actors engage in serious fraud beyond ad scams. The residential proxy network they’ve built up can be used by other bad actors for things like account takeovers, where they steal access to people’s online accounts, or fake account creation, where they set up bogus profiles for fraudulent purposes. They can also use this network to steal credentials, exfiltrate sensitive information, and even launch DDoS attacks.
These activities are typically carried out by downstream criminals who purchase access to the proxy services provided by the infected devices. This allows them to hide their tracks, making it much harder to trace their criminal activities back to the source.
It’s not just hundreds of thousands; the scale of the fraud is much larger, affecting advertisers and publishers across the board.
AdMonsters: What’s a residential proxy service?
GR: A residential proxy network is essentially a network of infected devices, such as smartphones, tablets, or connected TVs, that are used by threat actors to disguise their fraudulent activities. When a device is compromised through something like the BADBOX 2.0 malware, it becomes part of this network, allowing the attackers to route malicious traffic through the device.
For the consumer, there’s no immediate indication that anything is wrong. They continue using the device as usual, watching TV or using apps, but the device is being used in the background to carry out fraud. This could involve generating fake clicks on ads, committing click fraud, or enabling other criminal activities. The main issue is that the device is essentially used to assist in fraudulent activities without the owner’s knowledge or consent.
AdMonsters: Where are these attacks occurring? Are they in the U.S.?
GR: We discovered that BADBOX 2.0 has a significant global presence, with infected devices found across 222 countries and territories, including the U.S. While there is significant activity in the U.S., the highest concentration of infections is in Latin America, particularly in Brazil. This indicates that while the threat is widespread, the real volume of attacks is centered in Latin America.
AdMonsters: How much money are advertisers losing to this scheme?
GR: I can’t provide specific numbers. I can tell you it’s a significant amount. We’re talking millions of dollars over the entire campaign. It’s not just hundreds of thousands; the scale of the fraud is much larger, affecting advertisers and publishers across the board.
AdMonsters: It sounds like fighting such a widespread fraud operation requires substantial collaboration. Who are your partners in disrupting BADBOX 2.0, and how are these partnerships helping combat the fraud?
GR: We’re working closely with several trusted partners, including Google, Trend Micro, The Shadowserver Foundation, and various law enforcement agencies. These collaborations allow us to share intelligence, disrupt the infrastructure powering these attacks, and protect consumers and businesses from fraud.
I should emphasize that the investigation and the scheme are ongoing.
AdMonsters: What role do cheap, off-brand devices play in this scheme? What are they particularly vulnerable to infection?
GR: Cheap, off-brand devices are particularly vulnerable to infection because they often come with minimal security and quality controls. These devices, especially those running uncertified Android Open Source Project (AOSP) versions, are more likely to be sold with pre-installed malware or are susceptible to being compromised through drive-by downloads or apps from third-party app stores. And because they don’t have regular security updates and certifications, once a backdoor is installed, it’s far more challenging for consumers to detect or protect against it.
What’s alarming is that many consumers may not even think twice about purchasing these cheaper devices, especially when they offer features that seem too good to pass up, like low prices or access to free content. But the reality is that these devices are often sold with little regard for security or future updates, making them prime targets for these kinds of fraud operations.
AdMonsters: That’s an interesting point. We may not think twice about spending a little more on a secure tablet, but we might be more willing to purchase a cheap, off-brand connected TV without realizing the potential risks. How can consumers better protect themselves from this kind of fraud?
GR: The first and most important step is awareness. Consumers need to recognize that, just like with smartphones or tablets, the quality and security of connected devices—especially off-brand ones—matter. Everyone should be cautious when purchasing devices from unfamiliar or unverified brands. Look for Play Protect certified devices with built-in security features like regular software updates, firewalls, and encryption. If a device seems too good to be true, it often is, so making informed decisions is crucial rather than focusing solely on price.
We should also be cautious about downloading apps from third-party sources. The safest approach is to stick to trusted marketplaces and be wary of deals that seem overly discounted.
###
About Gavin Reid
Gavin Reid serves as the CISO for HUMAN Security, a cybersecurity company that specializes in safeguarding enterprises from digital attacks while preserving digital experiences for users. In addition, he leads the Satori Threat Intelligence and Research Team. Gavin began his cybersecurity career in information security at NASA’s Johnson Space Center. He later went on to create Cisco’s Security Incident Response Team (CSIRT), Cisco’s Threat Research and Communications (TRAC), and Fidelity’s Cyber Information Group (CIG).
Before joining HUMAN, Gavin served as the CSO for Recorded Future, where he was responsible for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. For more than 20 years, Gavin has managed every aspect of security for large enterprises.