This week on the Lock and Code podcast, we speak with Tim Shott about his attempt to find his location data following a major data breach.

_This week on the Lock and Code podcast…_

Something’s not right in the world of location data.

In January, a location data broker named Gravy Analytics was hacked, with the alleged cybercriminal behind the attack posting an enormous amount of data online as proof. Though relatively unknown to most of the public, Gravy Analytics is big in the world of location data collection, and, according to an enforcement action from the US Federal Trade Commission last year, the company claimed to “collect, process, and curate more than 17 billion signals from around a billion mobile devices daily.”

Those many billions of signals, because of the hack, were now on display for security researchers, journalists, and curious onlookers to peruse, and when they did, they found something interesting. Listed amongst the breached location data were occasional references to thousands of popular mobile apps, including Tinder, Grindr, Candy Crush, My Fitness Pal, Tumblr, and more.

The implication, though unproven, was obvious: The mobile apps were named with specific lines of breached data because those apps were the _source_ of that breached data. And, considering how readily location data is traded directly from mobile apps to data brokers to advertisers, this wasn’t too unusual a suggestion.

Today, nearly every free mobile app makes money through ads. But ad purchasing and selling online is far more sophisticated than it used to be for newspapers and television programs. While companies still want to place their ads in front of demographics they believe will have the highest chance of making a purchase—think wealth planning ads inside the Wall Street Journal or toy commercials during cartoons—most of the process now happens through pieces of software that can place bids at data “auctions.” In short, mobile apps sometimes collect data about their users, including their location, device type, and even battery level. The apps then bring that data to an advertising auction, and separate companies “bid” on the ability to send their ads to, say, iPhone users in a certain time zone or Android users who speak a certain language.

This process happens every single day, countless times every hour, but in the case of the Gravy Analytics breach, some of the apps referenced in the data expressed that, one, they’d never heard of Gravy Analytics, and two, no advertiser had the right to collect their users’ location data.

In speaking to 404 Media, a representative from Tinder said:

“We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app.”

A representative for Grindr echoed the sentiment:

“Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years.”

And a representative for a Muslim prayer app, Muslim Pro, said much of the same:

“Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users.”

What all of this suggested was that some _other_ mechanism was allowing for users of these apps to have their locations leaked and collected online.

And to try to prove that, one independent researcher conducted an experiment: Could he find himself in his own potentially leaked data?

Today, on the Lock and Code podcast with host David Ruiz, we speak with independent research Tim Shott about his investigation into leaked location data. In his experiment, Shott installed two mobile games that were referenced in the breach, an old game called Stack, and a more current game called Subway Surfers. These games had no reason to know his location, and yet, within seconds, he was able to see more than a thousand requests for data that included his latitude, his longitude, and, as we’ll learn, a whole lot more.

> “ I was surprised looking at all of those requests. Maybe 10 percent of \[them had\] familiar names of companies, of websites, which my data is being sent to… I think this market works the way that the less you know about it, the better from their perspective.”

Tune in today to listen to the full conversation.

_how notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How ads weirdly know your screen brightness, headphone jack use, and location, with Tim Shott (Lock and Code S06E05) 

Plus: The world’s “largest illicit online marketplace” gets hit by regulators, police seize the Garantex crypto exchange, and scammers trick targets by making up ransomware attacks.

As Donald Trump’s administration continues its relentless reorganization of the United States federal government, documents obtained by WIRED showed this week that the Department of Defense is looking at cutting as much as three-quarters of its workforce that’s specifically focused on stopping proliferation of chemical, biological, and nuclear weapons. Meanwhile, the US Army is using its “CamoGPT” AI tool to “review” diversity, equity, inclusion, and accessibility policies per Trump administration orders. The military originally developed the AI service to improve productivity and operational readiness.

US civil liberties organizations are pushing the director of national intelligence. Tulsi Gabbard, to declassify details about Section 702 of the Foreign Intelligence Surveillance Act—a central overseas wiretap authority that is notorious for also capturing a large number of calls, texts, and emails made or sent by Americans. And the US Justice Department on Wednesday charged 10 alleged hackers and two Chinese government officials over digital crimes spanning more than a decade as part of China’s extensive hack-for-hire ecosystem.

Ongoing analysis from a consortium of researchers led by Human Security found that at least a million low-price Android devices, like TV streaming boxes and tablets, have been compromised as part of a scamming and ad fraud campaign known as Badbox 2.0. The activity, which the researchers say comes out of China, is an evolution of a previous effort to backdoor similar devices.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Cybercriminals Allegedly Used a Backdoor to Steal Taylor Swift Tickets**

Two people who allegedly worked as part of a group to access nearly 1,000 tickets to concerts and other events—many for Taylor Swift’s Eras Tour—before selling them on for more than $600,000 profit were arrested and charged with the potential crimes in Queens this week. Tyrone Rose, 20, and Shamara P. Simmons, 31, of Jamaica, Queens, were arrested and arraigned in connection to the theft and sales, according to Queens district attorney Melinda Katz.

Between June 2022 and July 2023, it is alleged that 350 orders—totaling 993 tickets—on ticketing platform StubHub were accessed at a third-party contractor called Sutherland. “The Sutherland employees, defendant Tyrone Rose and an unapprehended accomplice, allegedly used their access to StubHub’s computer system to find a backdoor into a secure area of the network where already sold tickets were given a URL and queued to be emailed to the purchaser to download,” the district attorney’s office wrote in a statement.

They then emailed URLs to another accomplice who has since died, the office says, before posting the tickets to StubHub for resale. While the investigations are ongoing, the District Attorney’s office claimed the proceeds of the cybercrime totaled around $635,000 and also involved tickets for Ed Sheeran concerts, NBA games, and the US Open Tennis Championships.

**Payment Provider Linked to ‘Largest Illicit Online Marketplace’ Loses Banking License**

Every year, criminals make billions from the operations of highly organized scam compounds in Southeast Asia. As these operations have grown in sophistication, so has the wider ecosystem that supplies them with the technology and services needed to run the scams. And experts say there’s no bigger marketplace than Huione Guarantee—a Cambodian gray market selling scam services that researchers claim has facilitated more than $24 billion in transactions.

This week, according to a report by Radio Free Asia, the banking arm of Huione Guarantee’s parent company, Huione Group, had its financial license suspended by officials in Cambodia. According to the report, the Huione Pay service had its license withdrawn for failing to comply with “existing regulations.” The United Nations Office on Drugs and Crime and crypto tracing firm Elliptic previously had linked money moving through Huione Pay to cyberscamming. “They are willing facilitators of pig butchering and other fraud, so any regulatory action against them should be welcomed,” Elliptic founder Tom Robinson claimed to Radio Free Asia.

**Russian Cryptocurrency Exchange Garantex Taken Down in Law Enforcement Action**

The US Department of Justice announced an operation this week with Germany and Finland to disrupt the digital infrastructure behind notorious Russian cryptocurrency exchange Garantex. For years, the platform has allegedly been used for money laundering and other criminal transactions, including sanctions evasion. The DOJ claimed in its announcement that “transnational criminal organizations—including terrorist organizations” have utilized the exchange. Law enforcement said that the platform has processed at least $96 billion in cryptocurrency transactions since April 2019. US authorities said they froze over $26 million in funds used to facilitate money laundering as part of the Garantex takedown.

**Scammers Are Impersonating Notorious Ransomware Attackers to Extort Targets**

The FBI warned this week that scammers pretending to be attackers from the BianLian ransomware gang are demanding ransoms from corporate executives in the US. The demands include claims that the group has breached a company’s network and threaten to publish sensitive information unless a target pays up. Such criminal digital extortion is common enough that scammers apparently feel that they can plausibly make the claims and intimidate targets without even attacking them. The FBI says that the scammers’ ransom demands say that they come from BianLian and range from $250,000 to $500,000 payable via a QR code that links to a Bitcoin wallet. The real BianLian group has links to Russia and has targeted US critical infrastructure since June 2022, according to a November alert from the US Cybersecurity and Infrastructure Security Agency.

Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.

Unmasking the new persistent attacks on Japan

Task scams are increasing in volume. We followed up on an invitation by a task scammer to get a first hand look on how they work.

Tasks scam are surging, with a year over year increase of 400%. So I guess it should have been no surprise when I was contacted by a task scammer on X recently.

Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually gamified—organized in sets of 40 tasks that will take the victim to a “next level” once they are completed. Sometimes the victim will be given a so-called double task that earns a bigger commission.

The scammers make the victim think they are earning money to raise trust in the system. But, at some point, the scammers will tell the victims they have to make a deposit to get the next set of tasks or get their earnings out of the app. Victims are likely to make that deposit, or all their work will have been for nothing.

So when the task scammer contacted me on X to offer me a nice freelance job, I was keen to see where it would take me.

Beginning the message with emojis, Birdie started the chat…

Group invitation on X

> “\[emoji intro\] Hello, I am a third-party agency from the UK, specializing in providing ranking and likes services for Booking+Airbnb hotel applications. The company is now recruiting freelancers worldwide. You only need a mobile phone to easily get it done, and the time and location are flexible. The daily salary is 100-300€, and the monthly salary of formal employees is 3000-10000€. Note (this article is not suitable for students under 22 years old, and African and Indian employees cannot be hired due to remittance issues) For more details please see the WhatsaPP link: \[shortened bit.ly URL\]”

In this case, I was asked to contact the scammer on WhatsApp, but I’ve also seen the same campaign asking the victims to reach out on Telegram.

Invitation to a Telegram conversation

The Telegram invitation was a bit more limited (European and American female users only) but extended to a larger group of 150 accounts on X. What the ones that reached out to me had in common was that they all found my profile on X. Mind you, my profile is not some honeytrap, it clearly says I blog for Malwarebytes.

So, last week I was up for some distraction and decided to follow up on the WhatsApp invitation which was still live. I reset an old phone to factory settings and bought a burner SIM card. With that phone in hand, I set up a Gmail account and installed WhatsApp. I added Birdie Steuber to my contacts with the phone number I found by following the URL. Then I reached out asking if they still had openings.

The bait was taken within minutes: hook, line, and sinker.

introductions

So, Birdie is actually Tina from Sheffield in the UK. The job is available and does not require any special skills or experience. Tina tells me all you need is internet access and you can start working for booking.com.

Next is a long-winded explanation of what the job entails with another mention of the fortune you can make. I suspect the explanation is meant to be slightly confusing, knowing the general population would be embarrassed to ask for a better explanation and just will go ahead and carry out the tasks.

explanation?

More explanations about the job are followed by a quick query whether I will be able to buy USDT, the “hottest cryptocurrency in the world” as Tina described it. (It isn’t.)

USDT required

Tina then asks me to create an account on a fake booking.com website.

create an account on a fake booking(dot)com site

Here’s that site.

the fake booking site

Once I’d set that up, Tina set me up with a training account to learn the tasks. The actual tasks consist of clicking two buttons labelled “Start task” and “Submit” which gets mind-numbing really quick. But, hey, I was wasting a scammers’ time, so it was worth it.

That training account had a balance of over 1,000 USDT, probably to make the victim even more interested.

balance training account

What happened next is likely a demonstration of another tactic the scammers will use to get people to deposit more USDT: A lucky order!

lucky order

I was shown a prompt that I had run into “a 4% lucky order”, which Tina called a merge task that rendered a 4% commission.

Next followed an elaborate explanation on how Tina had to top up the balance to make up for the negative “Pending Amount” and asked me to contact customer support for instructions.

negative pending amount needs to be topped up

But to my surprise this was not what I was asked to do the next day when we continued our conversation. However, Tina quickly revealed how they were expecting to get 100 USDT from me.

> “I forgot to tell you, it takes 100usdt to complete a new round of 40/40 orders to reset 40 new orders. Because 100usdt is to optimize the hotel 100usd reservation fee. Once you complete the 40/40 order task you can withdraw all funds. This is to help the hotel increase the number of real bookings and exposure to earn commission income. The commission income per order is 0.5 per cent. 100usdt will probably get 40-60usdt after completing the 40/40 order task.”

After I completed my first 40 tasks, I was shown this notification letting me know I had reached the maximum number of tasks for the day, at which point I was expected to top op my account at my own expense.

Please contact customer service to recharge and refresh the task

Once I convinced Tina we had purchased 100 USDT, I was told to contact customer support for instructions.

The instructions were similar to the ones I received a day earlier. But at this point I had to terminate because I didn’t want to give the scammers any actual money.

Checking the balance on the account numbers they provided me with during our conversation showed there are likely others who are handing over money. And they very well may have many more accounts.

balance in the USDT accounts belonging to the scammers

These scams are likely designed to be confusing. The actual tasks were nowhere near as difficult as the explanation of what the job entailed.

In the end I revealed to Tina that I was the one that wrote an article about task scams, but Tina did not give up that easily. She kept trying to convince me there was money to be made.

If you’d like to read the whole conversation I had with Tina you can find it here.

****How to avoid task scams****

As I pointed out, all the task scam invitations I received came to me in the form of Message requests on X. So, that’s a good place to be very cautious. Once you know the red flags, it is easier to avoid falling for task scams.

*   Do not respond to unsolicited job offers via text messages or messaging apps
*   Never pay to get paid
*   Verify the legitimacy of the employer through official channels
*   Don’t trust anyone who offers to pay you for something illegal such as rating or liking things online

It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is.

If you run into a task scam, please report them to the FTC at ReportFraud.ftc.gov. 

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 I spoke to a task scammer. Here&#8217;s how it went 

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information.
"These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said. "And more phone calling scammers are using spoofing techniques to hide their real

Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud

Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.

Google has issued updates to fix 43 vulnerabilities in Android, including two zero-days that are being actively exploited in targeted attacks.

The updates are available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-03-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs assigned to the two zero-days are:

CVE-2024-43093: A possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege (EoP) with no additional execution privileges needed. Exploitation of this vulnerability requires user interaction. Google confirms that CVE-2024-43093 has been under limited, targeted exploitation.

A file path filter is supposed to prevent access to sensitive directories on a device. In this case the ‘shouldHideDocument’ function. However, due to incorrect Unicode normalization, an attacker might be able to bypass this filter. Unicode normalization refers to the process of standardizing Unicode characters to ensure that equivalent characters are treated as the same. Flaws in this process can lead to security issues, such as bypassing the filter, allowing an attacker access to normally off-limits files, such as system configuration files or sensitive data.

The specific nature of the required user interaction is not detailed in the available information. Typically, user interaction might involve opening a malicious app or file, clicking on a link, or performing another action that triggers the exploit.

CVE-2024-50302: An issue in the Linux Kernel which allowed unauthorized access to kernel memory reportedly exploited in Serbia by law enforcement using Cellebrite forensic tools to unlock a student activist’s device and attempt spyware installation.

This flaw lies in the Linux kernel’s driver used by Android for Human Interface Devices and allows an attacker to unlock devices that they have physical access to. The flaw was used in a chain of vulnerabilities which Amnesty International’s Security Lab found on a device unlocked by Serbian authorities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android zero-day vulnerabilities actively abused. Update as soon as you can 

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Google has released its monthly Android Security Bulletin for March 2025 to address a total of 44 vulnerabilities, including two that it said have come under active exploitation in the wild.
The two high-severity vulnerabilities are listed below -

CVE-2024-43093 - A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb,"

Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android device into a target. Meanwhile, Microsoft pulled back the curtain on a scheme where cybercriminals used AI tools for harmful pranks, and a massive trove of live secrets was discovered, reminding us that even the tools we rely on can hide risky

Tag

#android