1 million third -party Android devices have a secret rear profit for scammers

Researchers from multiple companies say the campaign seems to be coming from a poorly connected ecosystem of fraud groups, not a single actor. Each group has its own versions of Badbox 2.0 rear and malware and distributes the software in different ways. In some cases, malicious applications come pre -installed on compromised devices, but in many examples that researchers track, attackers arrange users to unknowingly install compromised applications.

Researchers emphasize a technique in which fraudsters create a benign application – say, play – put it on Google’s Play Store to show that it has been checked, but then lure users to download almost identical versions of the app that have not been hosted at official app stores and are malicious. Similar applications for the “evil twin” have appeared at least 24 times, the researchers say, allowing attackers to release advertising frauds in Google Play versions on their apps and to distribute malware in their self -trained applications. The man also found that the fraudsters had allocated over 200 compromised, red or re -credited versions of popular, basic applications as another way to distribute their background.

“We have seen four different types of fraud module – two advertising frauds, one false click on one and then the residential proxy network – but it is expanding,” says Lindsay Kaye, Vice President of the man to intelligence. “So you can imagine how, if the weather had continued and they were able to develop more modules, they might create more relationships, there is an opportunity to have additional ones.”

Researchers at the Security Company Trend Micro cooperated with the man on the investigation of Badbox 2.0, more specially focused on the participants behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a researcher at Trend Micro Senior Threat. He added that while there are “easy up to a million devices online” for any of the groups, “this is just a number of devices that are currently related to their platform. If you count all the devices that would probably have their payload, it will probably exceed a few million. “

Yarochkin adds that many of the groups involved in campaigns seem to have some connection with Chinese gray market ads and marketing companies. More than a decade ago, Jarochkin explains, there was multitude legitimately cases In China in which companies installed “silent” plugins on devices and used them for a varied set of seemingly fraudulent activities.

“The companies that generally survived at this age of 2015 were companies that adapted,” says Yarochkin. He notes that his investigations have already identified numerous “business entities” in China, which seem to be related to some of the groups participating in Badbox 2. Links include both economic and technical connections. “We identified their addresses, we saw some pictures of their offices, they have accounts of some LinkedIn employees,” he says.

Man, Micro and Google trend also collaborated with the Internet Security Group Shade server To make the Badbox 2.0 infrastructure as much as possible from immersion Botnet is essentially sending its traffic and wants instructions in void. But researchers warn that once the fraudsters are directed afterwards Discoverings for the original Badbox schemeIt is unlikely that the exposure to Badbox 2.0 will permanently cease the activity.

“As a user, you should keep in mind that if the device is too cheap to be true, you must be prepared that there may be some additional surprises hidden in the device,” says Yarochkin on Trend Micro. “There is no free cheese unless the cheese is in a mouse.”