Google announced Thursday that it is pursuing legal action in New York federal court against 25 unnamed individuals or entities in China who allegedly operate the Badbox 2.0 botnet and housing proxy infrastructure.
“The Badbox 2.0 botnet has compromised over 10 million unclear devices running Android Open Source Project, which lacks Google’s security,” says Tech Giant.
“Cybercriminals have been infected with pre-installed malware on these devices and exploited them to carry out massive advertising fraud and other digital crimes.”
The company said it took steps to quickly update Google Play Protect, a built-in malware and unnecessary software protection mechanism built into Android.
The development took just over a month after the Federal Bureau of Investigation (FBI) issued a warning about the Badbox 2.0 botnet.
First detected in late 2022, BadBox is known to spread through Internet of Things (IoT) devices, including television streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products. Most of them are manufactured in China.
“Cybercriminals usually gain unauthorized access to their home network by configuring the product with malicious software before users purchase the device before downloading necessary applications, including backdoors, during the setup process,” the FBI warned.
In an analysis released early in March this year, Human Security described the threat as the largest botnet of infected connected TV (CTV) devices that have been uncovered to date. The majority of Badbox infections have been reported in Brazil, the US, Mexico and Argentina.
Early repetition of malware was propagated through supply chain compromises with malware against the backdrop of IoT devices with malware before purchasing, but the attack chain has adapted to spread infections through malicious apps downloaded from the informal market.
With over 10 million devices estimated to be roped to the botnet, operators can sell access to compromised home networks to promote different types of illegal activities by other threat activators.
In a complaint filed on July 11, 2025, Google claimed that Badbox Enterprise is made up of multiple groups.
The Infrastructure Group, which establishes and manages the primary command and control (C2) infrastructure for Badbox 2.0, is a backdoor malware group that develops and preinstalls bot backdoor malware. A fraudulent “game” to generate ads
The company also denounced Badbox 2.0 actors who have created publisher accounts on the Google Ads Network to provide advertising space on their apps or websites and are being compensated by Google.
“The sole purpose of enterprise apps and websites is to provide advertising space for Badbox 2.0 bots to generate traffic,” Google says. “Enterprise deploys Badbox 2.0 bots to ‘show’ those ads, generating a large number of impressions of the ads. […] For those impressions. ”
Furthermore, Google pointed out that illegal operations allow threat actors to benefit in three different ways from advertising fraud on their networks. It involves using seemingly legal apps to secretly load hidden ads via “Evil Twin” schemes, opening hidden web browsers, interacting with ads on gaming websites created by them, and leveraging infected devices to commit fraud.
“The court issued a preliminary injunction, which requires Badbox 2.0 Enterprise to globally suspend botnet operations and related criminal schemes, forcing third-party internet service providers and domain registries to actively help dismantle botnet infrastructure, for example by blocking traffic from certain domains.
In a statement shared with Hacker News, Human Security CEO Stu Solomon welcomed Google’s actions against the threat actors behind Badbox 2.0, exemplifying the power of cooperation against such threats.
“This marks a great step forward in the ongoing battle to secure the internet from sophisticated fraud businesses that hijack devices, steal money and abuse without knowing consumers,” Solomon added.
Source link
