Redazione RHC : 19 July 2025 13:52
Google has filed a lawsuit against the anonymous operators of the Android BadBox 2.0 botnet, accusing them of orchestrating a global fraud targeting the company’s advertising platforms. BadBox is Android malware based on code from the Triada malware family. Malware can often be preinstalled on inexpensive devices out of the box and infect them through updates and malicious apps that sometimes leak into Google Play and third-party stores. Set-top boxes, tablets, smart TVs, smartphones, etc. are susceptible to infection.
The malware exploits devices running the Android Open Source Project (AOSP) to steal data, install additional malware, and allow attackers to gain remote access to the network where the compromised device is located. After being hacked, the devices become part of the BadBox 2.0 botnet, where they are used for ad fraud or transformed into residential proxies that are sold to other attackers and used for various malicious activities.
Google’s lawsuit focuses primarily on the ad fraud the botnet is committing against the company’s advertising platforms. This fraud is carried out in three ways.
BadBox was first discovered in 2023 by independent security researcher Daniel Milisic, who noticed that Android T95 set-top boxes sold on Amazon were infected with sophisticated malware from the start. In late 2024, German law enforcement attempted to take down part of the botnet. However, BitSight researchers soon reported that the operation had little impact on its operation. By the end of December, the botnet again had over 192,000 infected devices worldwide.
This spring, Human Security led a new operation to combat the botnet, in collaboration with Google, Trend Micro, the Shadowserver Foundation, and other experts. With the botnet again experiencing rapid growth, reaching nearly one million infected IoT devices, researchers dubbed it BadBox 2.0. “This campaign affected over 1 million consumer devices. Devices included in the BadBox 2.0 botnet included tablets, set-top boxes, digital projectors, and other low-end, unbranded, and uncertified devices,” Human Security wrote. The infected devices are solutions based on the Android Open Source Project, not devices running Android TV or certified Play Protect. They are all produced in mainland China and shipped worldwide.
By March 2025, the operation had successfully infiltrated several domains, disrupting communications with the command and control servers of 500,000 infected devices. However, the FBI recently reported that the botnet is growing again, as consumers increasingly purchase compromised products and connect them to the internet. Now, Google’s lawsuit claims that, as of April 2025, BadBox 2.0 has infected more than 10,000,000 Android devices. In New York State alone, there are more than 170,000 infected devices.
Google executives said they Google has already removed thousands of publisher accounts associated with the malicious campaign, but the botnet continues to grow and pose an ever-increasing risk. “If the BadBox 2.0 campaign is not stopped, the botnet will continue to grow,” Google warns. “The BadBox 2.0 criminal organization will continue to generate revenue and use it to expand its operations, releasing new devices and malware to fuel its criminal activities, and Google will be forced to continue investing significant financial resources to investigate and combat this fraud.”
Because the identities of the 25 defendants are unknown and all are believed to be located in China, Google is seeking damages under the Computer Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations Act (RICO). The company is seeking damages and a permanent injunction to Dismantle the malware infrastructure and prevent its further spread. The lawsuit includes a list of over 100 domains that are part of the BadBox 2.0 infrastructure.
Redazione