Google has filed a lawsuit against the anonymous operators of the Android botnet BadBox 2.0, accusing them of orchestrating a global fraud scheme targeting the company’s advertising platforms.
Recall that BadBox is Android malware based on the code of the malicious Triada family.
Malware is often pre-installed on budget devices straight “out of the box” or infects them through updates and malicious apps, which sometimes infiltrate Google Play and third-party stores. TVs, tablets, smart TVs, smartphones, and more fall victim to infection.
The malware exploits devices running the Android Open Source Project (AOSP) to steal data, install additional malicious software, and also allows attackers to gain remote access to the network where the compromised device is located.
In fact, once compromised, the devices become part of the BadBox 2.0 botnet, where they are used for ad fraud or turned into residential proxies, which are sold to other attackers and used for various malicious activities.
The lawsuit filed by Google (PDF) primarily focuses on ad fraud committed by the botnet against the company’s advertising platforms.
This fraud is carried out in three ways.
- Stealth Ad Display: Infected devices have fake twin applications discreetly installed, which load hidden ads in the background from attacker-controlled sites. These sites host Google ads, generating revenue for the scammers.
- Web Game Sites: Bots are instructed to open invisible browser windows where they play fraudulent games, leading to rapid views of Google ads. Each of these views generates income for publisher accounts controlled by the attackers.
- Click Fraud: Bots are commanded to perform search queries on sites controlled by the attackers, where AdSense for Search is used. This also generates advertising revenue for the scammers from ads displayed in search results.
The BadBox was first discovered in 2023 by independent cybersecurity researcher Daniel Milisic, who noticed that Android TV boxes T95 sold on Amazon were infected with sophisticated malware right “out of the box”.
At the end of 2024, German law enforcement attempted to take down part of the botnet. However, researchers from the company BitSight reported that this operation did not significantly impact its functioning. By the end of December, the botnet had once again reached over 192,000 infected devices worldwide.
This spring, a new operation to combat the botnet was led by specialists from Human Security, in collaboration with Google, Trend Micro, The Shadowserver Foundation, and other experts. Since the botnet has once again sharply increased to almost a million infected IoT devices, researchers have named it BadBox 2.0.
“This campaign has impacted over 1 million consumer devices. Among the devices included in the BadBox 2.0 botnet were budget, unbranded, and non-certified tablets, TV boxes, digital projectors, and so on,” wrote specialists at Human Security. “The infected devices are solutions based on the Android Open Source Project, not devices based on the Android TV OS or certified by Play Protect. All of them are manufactured in mainland China and distributed worldwide.”
In March 2025, an operation enabled the sinkholing of several domains of the botnet, disrupting the communication with command and control servers for 500,000 infected devices. However, the FBI recently warned that the botnet is growing again as consumers continue to purchase new compromised products and connect them to the Internet.
Now, in Google’s lawsuit, it is reported that as of April 2025, BadBox 2.0 has infected over 10,000,000 Android devices. In the state of New York alone, there are more than 170,000 infected gadgets.
Google representatives stated that they have already removed thousands of publisher accounts associated with this malicious campaign, yet the botnet continues to grow and poses an increasing risk.
“If the BadBox 2.0 campaign is not disrupted, the botnet will continue to grow,” warns Google. “The criminal enterprise BadBox 2.0 will continue to generate revenue and use it to expand its operations — releasing new devices and new malware to fuel its criminal activities, and Google will be forced to continue spending significant financial resources to investigate and combat this fraudulent scheme.”
Since the identities of the 25 defendants are unknown and it is assumed that they are all located in China, Google is seeking legal protection under the Computer Fraud and Abuse Act, as well as the Racketeer Influenced and Corrupt Organizations Act (RICO).
The company is seeking damages and a permanent injunction to dismantle the malware infrastructure and prevent its further spread.
The lawsuit includes a list of more than 100 domains that are part of the BadBox 2.0 infrastructure.
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →