Latest news with #BADBOX
Forbes
03-07-2025
- Forbes
Google Play Store Warning—Find And Delete All Apps On This List
Delete all these apps from your smartphone Here we go again. A list of malicious apps has just been published and smartphone users are being urged to root out and delete any still on their devices. The latest report outs more than 350 apps responsible for more than a billion ad bid requests per day. This latest report comes courtesy of Human Security's Satori team, which says it has 'disrupted IconAds, a massive fraud operation involving hundreds of deceptive mobile apps that hide their presence and deliver unwanted ads.' this app campaign has been under investigation for some time, but is growing its viral presence. Satori says this 'highlights the evolving tactics of threat actors,' and that the scale of threats such as this are similar to BADBOX 2.0, the major IOT threat flagged by the FBI and Google, in which millions of smart TVs and other devices Here is the list of IconAds issued by Human; and here is the list of previously known apps flagged by other researchers before this latest report was published. This AdWare follows on the HiddenAds threat, but on a much larger scale. The malware takes over devices with unwanted fullscreen ads, generating revenue for its handlers. It even changes app icons top avoid detection and removal. Global IconAds campaign 'While these apps often have a short shelf life before they're removed from Google's Play Store,' Sartorial says, 'the continued new releases demonstrate the threat actors' commitment to further adaptation and evolution. Google has now deleted all of apps in the report fromPlay Store, and users with Play Protect enabled will be protected from those apps. But apps are not automatically deleted from devices, and so you should do this manually. In Satori's technical report, it warns that such is the scale of this operation it deployed a dedicated domain for every malicious app, which helped the team compile their list. 'These domains consistently resolve to a specific CNAME and return a specific message; this means that while the domains were different, they very likely shared the same back-end infrastructure or second-level C2. These and other unique parameters allowed Satori researchers to find more of these domains and associate them back to IconAds.' The team also warns that the app obfuscation was highly deceptive. In one instance, an app 'used a variation of the Google Play Store's own icon and name. When opened, it automatically redirects into the official app while working in the background.' Satori says 'the IconAds operation underscores the increasing sophistication of mobile ad fraud schemes. Ongoing collaboration across the digital advertising ecosystem is essential to disrupting these and future fraud operations.'
The Star
23-06-2025
- The Star
FBI warns of hidden 'malicious' threats lurking in widely used devices
The Federal Bureau of Investigation has issued a public service announcement alerting Americans to a growing cyber threat that may already be inside their homes – and it's a threat many people don't even realise. According to the FBI, cybercriminals are hijacking TV streaming sticks, digital projectors, digital picture frames and more to launch malicious online activity through an evolving botnet known as BADBOX 2.0. BADBOX was first discovered in 2023 and disrupted in 2024, but the new 2.0 version has resurfaced with more advanced techniques, according to the FBI. It continues to exploit Android-based devices, especially those not certified by Google Play Protect or promoted as 'unlocked' streaming tools capable of accessing free content, the bureau said. The botnet, which reportedly consists of millions of compromised devices, allows criminals to create proxy networks out of unsuspecting users' home connections, the FBI said. The networks can then be exploited or sold to other criminals, enabling illegal activity that appears to originate from an innocent home network, according to the FBI. Most of the infected devices were manufactured in China and are either preloaded with malware before purchase or compromised during setup through the download of unofficial apps, the FBI said. Once connected, the devices can silently become part of the BADBOX 2.0 botnet, giving criminals a hidden doorway into personal networks, the bureau added. The FBI advised users to evaluate all devices in their home, especially those from unfamiliar or off-brand manufacturers, and watch for signs such as unusual Internet traffic, requests to disable Google security settings, or the use of unofficial app stores. To reduce risk, experts recommended keeping firmware and operating systems up to date, avoiding unofficial app downloads, and monitoring home network activity regularly. Anyone who suspects they may have been affected is encouraged to report the incident to the FBI through the Internet Crime Complaint Center. – News Service
Forbes
17-04-2025
- Business
- Forbes
Apollo Exposed: What 400M Fake Ad Requests Reveal About Fraud
Audio advertising is booming. With programmatic audio spend projected to surpass $2 billion in 2025, it's become one of the most promising—and vulnerable—channels in digital media. Where innovation leads, cybercrime follows. And the recent Apollo operation uncovered by HUMAN and The Trade Desk is a case study in just how sophisticated, and damaging, that fraud can be. At its peak, Apollo accounted for 400 million fraudulent bid requests per day, making it the largest audio-related ad fraud scheme ever detected. But what makes Apollo especially troubling isn't just the scale—it's how convincingly it mimicked legitimate traffic, exploited supply chain blind spots, and leveraged malware-infected CTV devices to obscure its origin. I spoke with Will Herbig, senior director for AdTech Fraud Research & Strategic Customer Analytics at HUMAN, about the research. He explained that Apollo preyed on a fundamental weakness in server-side ad insertion, the technology used to serve seamless audio and video ads without interrupting user experience. With SSAI, advertisers receive limited telemetry—often just a user-agent string and an IP address—making it an ideal environment for spoofing. Fraudsters behind Apollo reverse-engineered the ad request flows of legitimate apps, replicating their formats to impersonate real audio ad inventory. They even spoofed apps that shouldn't have been serving audio at all. 'One of the things that sparked this investigation was the question of, why are puzzle apps serving audio ads?' Herbig told me. 'At least in my experience, it's uncommon that a puzzle app or something like that is going to serve an audio ad.' It was a subtle anomaly—but it set off a cascade of deeper analysis that ultimately exposed Apollo's intricate fabrication tactics. Apollo's traffic wasn't generated by infected devices in the traditional sense. Instead, bid requests were fabricated wholesale—generated by script, spoofed to resemble real devices, and funneled through residential proxies to mask their true data center origins. Herbig emphasized that the scale Apollo operated at generated traffic equivalent to a the traffic of a mid-sized city like Stamford, Connecticut. That scale was achieved in part thanks to BADBOX 2.0, a botnet of over a million compromised connected TV devices. Apollo traffickers leveraged BADBOX to route requests through residential IPs, making the traffic appear legitimate and difficult to trace. HUMAN had previously disrupted BADBOX, but its infrastructure was clearly still being exploited. By layering spoofed app identities, forged device configurations, and residential proxy evasion, Apollo's operators built a fraud operation that slipped through many traditional defenses. The real damage, however, was in how Apollo exploited programmatic advertising's fragmented supply chain. Many platforms only validate the final seller in a transaction—a check that Apollo often passed. But those 'authorized' sellers were frequently several layers removed from the spoofed origin. 'There can be non-compliance in earlier parts of the supply chain, and then as you get to later parts, things look valid,' Herbig said. 'Many implementations of these supply chain standards are only checking the last place that came from, so everything that happened before that is kind of out of scope.' This phenomenon—what HUMAN refers to as 'supply chain convergence'—allows spoofed inventory to piggyback on authorized reseller pathways, creating a false sense of legitimacy. It's a loophole that remains dangerously under-policed in today's real-time bidding ecosystem. HUMAN didn't just uncover Apollo—they helped dismantle it. Leveraging a predictive pre-bid scoring engine and an aggressive response strategy, the company saw a 99% reduction in Apollo-associated traffic across its platform. 'We are effectively demonetizing this supply,' Herbig said. 'By reducing the amount of bids that this inventory is getting… we're making it harder and harder for fraudsters to profit.' The broader goal, Herbig explained, is to make ad fraud uneconomical at scale. Each operation disrupted increases the operational cost for cybercriminals. Every layer of complexity—whether it's a disrupted proxy network, stricter supply chain checks, or tighter SDK enforcement—raises the barrier to entry. One of the strongest weapons against operations like Apollo isn't just technology—it's collaboration. HUMAN has leaned heavily into this strategy through its Human Collective, a multi-stakeholder initiative aimed at threat sharing and collective protection. According to Herbig, 'One of the great things we're doing is threat sharing. When we are observing concentrations of IBT, we are discussing that with the Human Collective, and we're using it as a forum for collaboration and a forum for discussion.' By sharing intelligence, surfacing patterns, and coordinating responses, HUMAN and its partners are creating a ripple effect across the programmatic ecosystem. The goal isn't to eliminate fraud entirely—it's to tip the cost-benefit equation against the fraudsters. As Herbig put it, 'We're trying to disrupt the economics of cybercrime… to the point that it becomes not worth it.' Apollo is a milestone—not just in the scope of audio ad fraud, but in how the industry responds to it. The findings call for stronger adoption of third-party verification tools like the Open Measurement SDK, more rigorous end-to-end supply path validation, and above all, tighter industry-wide collaboration. Audio may be one of the newest frontiers in ad fraud, but it doesn't have to be the most vulnerable. With vigilance, transparency, and cooperation, the industry has a fighting chance to turn down the noise and restore trust in programmatic audio.
