Google has filed a lawsuit against the anonymous operators of the Android BadBox 2.0 malware botnet, accusing them of running a global ad fraud scheme against the company's advertising platforms.
The BadBox 2.0 malware botnet is a cybercrime operation that utilizes infected Android Open Source Project (AOSP) devices, including smart TVs, streaming boxes, and other connected devices that lack security protections, such as Google Play Protect.
These devices become infected either by threat actors purchasing low-cost AOSP devices, modifying the operating system to include the BadBox 2 malware, and then reselling them online, or by tricking users into downloading and installing malicious apps on their devices that contain the malware.
The malware then becomes a backdoor that connects to command-and-control (C2) servers operated by the attackers, where it receives commands to execute on the device.
Once compromised, devices become part of the BadBox 2.0 botnet, where they are turned into residential proxies sold to other cybercriminals without the victims' knowledge or are used to conduct ad fraud.
Google's lawsuit primarily focuses on the ad fraud component, which the botnet commonly conducts against the company's advertising platforms.
This ad fraud is done in three ways:
Hidden ad rendering : Fake "evil twin" apps are silently installed on infected devices to load hidden ads in the background on attacker-controlled websites with Google ads, generating fraudulent ad revenue for the operation.
: Fake "evil twin" apps are silently installed on infected devices to load hidden ads in the background on attacker-controlled websites with Google ads, generating fraudulent ad revenue for the operation. Web-based game sites : Bots are instructed to launch invisible web browsers and play rigged games that rapidly trigger Google ad views. Each ad view results in revenue for the attacker-controlled publisher accounts.
: Bots are instructed to launch invisible web browsers and play rigged games that rapidly trigger Google ad views. Each ad view results in revenue for the attacker-controlled publisher accounts. Search ad click fraud: Bots are instructed to perform search queries on attacker-operated websites that utilize AdSense for Search, generating advertising revenue from advertisements shown in the retrieved search results.
... continue reading