Security

1 million Android devices of third parties have a secret back door for scams

Bartholome Zieme

March 11, 2025


Researchers from multiple firms say that the campaign apparently comes from a loose -linked ecosystem of fraud groups rather than one actor. Each group has its own versions of the bathbox 2.0 back door and malware modules and spreads the software in different ways. In some cases, malicious programs are advancing on the upcoming devices, but in many examples that the researchers have detected, attackers are deceiving users to install unconsciously compromised apps.

The researchers emphasize a technique in which the scammers create a benign app – say, a game – in Google’s Play Store to show that it was viewed, but then users to download almost identical versions of the app that are not offered in official app stores and are malicious. Such “evil twins” programs have arrived at least 24 times, says the researchers, who enable the attackers to run advertising fraud in the Google Play versions of their apps and distribute malware in their imposter apps. Human also found that scammers spread more than 200 compromised, weathered versions of popular mainstream apps as another way to spread their back doors.

“We saw four different types of fraud modules -two AD fraud, one false click one, and then the residential assistance network -but it is expandable,” says Lindsay Kaye, human vice president of threat intelligence. “So you can imagine how, if the time has passed and they could develop more modules, perhaps forge more relationships, there is the opportunity to have extra.”

Researchers from security firm Trend Micro worked with Human on the Badbox 2.0 investigation, especially with a focus on the actors behind the activity.

“The extent of surgery is great,” said Fyodor Yarochkin, a trend for micro senior threat. He added that although there are “easy to a million devices online” for any of the groups, “this is only a number of devices currently connected to their platform. If you count all the devices that would probably have their cargo, it will probably exceed a few millions. ‘

Yarochkin adds that many of the groups involved in the campaigns have a connection with the Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explained, there were several legal cases in China in which businesses installed ‘quiet’ plugins on devices and used them for a variety of seemingly fraudulent activities.

“The businesses that survived that age of 2015 were the companies that adapted,” says Yarochkin. He notes that his investigations have now identified several “business entities” in China, which is apparently linked to some of the groups involved in Badbox 2. The compounds contain both economic and technical links. “We identified their addresses, we saw some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, trend micro and Google also worked with the Internet Security Group Shadow Server to neutral as much bath box 2.0 infrastructure as possible by sinking the botnet so that it sends its traffic and requests for instructions in a void. But the researchers warn that after the scammers turned to the revelations about the original bathbox scheme, it is unlikely that the exposure of Badbox 2.0 will end the activity permanently.

“As a consumer, keep in mind that if the device is too cheap to be true, you should be prepared that there are some extra surprises in the device hidden,” says the Yarochkin of the tendency of the trend. “There is no free cheese unless the cheese is in a mousetrap.”

Related posts:

  1. The loneliness epidemic is a security crisis
  2. It’s not just TikTok: These other ByteDance apps are gone, too
  3. Cybercriminals allegedly used a stubhub back door to steal Taylor Swift tickets
  4. The incredible shrinking dating -app

Leave a Reply

Your email address will not be published. Required fields are marked *