Google has filed a lawsuit against the anonymous operators of the Android botnet BadBox 2.0, accusing them of orchestrating a global fraud scheme targeting the company’s advertising platforms.
Recall that BadBox is Android malware based on the code of the malicious Triada family.
Malware is often pre-installed on budget devices straight “out of the box” or infects them through updates and malicious apps, which sometimes infiltrate Google Play and third-party stores. TVs, tablets, smart TVs, smartphones, and more fall victim to infection.
The malware exploits devices running the Android Open Source Project (AOSP) to steal data, install additional malicious software, and also allows attackers to gain remote access to the network where the compromised device is located.
In fact, once compromised, the devices become part of the BadBox 2.0 botnet, where they are used for ad fraud or turned into residential proxies, which are sold to other attackers and used for various malicious activities.
The lawsuit filed by Google (PDF) primarily focuses on ad fraud committed by the botnet against the company’s advertising platforms.
This fraud is carried out in three ways.
- Stealth Ad Display: Infected devices have fake twin applications discreetly installed, which load hidden ads in the background from attacker-controlled sites. These sites host Google ads, generating revenue for the scammers.
- Web Game Sites: Bots are instructed to open invisible browser windows where they play fraudulent games, leading to rapid views of Google ads. Each of these views generates income for publisher accounts controlled by the attackers.
- Click Fraud: Bots are commanded to perform search queries on sites controlled by the attackers, where AdSense for Search is used. This also generates advertising revenue for the scammers from ads displayed in search results.
The BadBox was first discovered in 2023 by independent cybersecurity researcher Daniel Milisic, who noticed that Android TV boxes T95 sold on Amazon were infected with sophisticated malware right “out of the box”.
At the end of 2024, German law enforcement attempted to take down part of the botnet. However, researchers from the company BitSight reported that this operation did not significantly impact its functioning. By the end of December, the botnet had once again reached over 192,000 infected devices worldwide.
This spring, a new operation to combat the botnet was led by specialists from Human Security, in collaboration with Google, Trend Micro, The Shadowserver Foundation, and other experts. Since the botnet has once again sharply increased to almost a million infected IoT devices, researchers have named it BadBox 2.0.
“This campaign has impacted over 1 million consumer devices. Among the devices included in the BadBox 2.0 botnet were budget, unbranded, and non-certified tablets, TV boxes, digital projectors, and so on,” wrote specialists at Human Security. “The infected devices are solutions based on the Android Open Source Project, not devices based on the Android TV OS or certified by Play Protect. All of them are manufactured in mainland China and distributed worldwide.”
In March 2025, an operation enabled the sinkholing of several domains of the botnet, disrupting the communication with command and control servers for 500,000 infected devices. However, the FBI recently warned that the botnet is growing again as consumers continue to purchase new compromised products and connect them to the Internet.
Now, in Google’s lawsuit, it is reported that as of April 2025, BadBox 2.0 has infected over 10,000,000 Android devices. In the state of New York alone, there are more than 170,000 infected gadgets.
Google representatives stated that they have already removed thousands of publisher accounts associated with this malicious campaign, yet the botnet continues to grow and poses an increasing risk.
“If the BadBox 2.0 campaign is not disrupted, the botnet will continue to grow,” warns Google. “The criminal enterprise BadBox 2.0 will continue to generate revenue and use it to expand its operations — releasing new devices and new malware to fuel its criminal activities, and Google will be forced to continue spending significant financial resources to investigate and combat this fraudulent scheme.”
Since the identities of the 25 defendants are unknown and it is assumed that they are all located in China, Google is seeking legal protection under the Computer Fraud and Abuse Act, as well as the Racketeer Influenced and Corrupt Organizations Act (RICO).
The company is seeking damages and a permanent injunction to dismantle the malware infrastructure and prevent its further spread.
The lawsuit includes a list of more than 100 domains that are part of the BadBox 2.0 infrastructure.