![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBuoFHnbzEGWpd3mTe8WIdxuhRvsz6w1kKYdBl6XuCasogB6148ov91CHJA_5LtaDBjxa6WM2V6Tz2Vkn6tJZKYglCTNXJVSSxDVXakt5o9ddEehyphenhyphen41yIc4I2UFhKS7O1O4bX2TJBlYU53-AqKq1AmRHYCeONUUwWmJHRPHsHAfMypAD96NVJd_zI0I52_/s728-rw-e365/botnet.png\")
Google recently took legal action in New York federal court against 25 unidentified individuals or entities in China for allegedly operating the BADBOX 2.0 botnet and residential proxy infrastructure.
The BADBOX 2.0 botnet targeted over 10 million uncertified devices running Android’s open-source software, which lacks Google’s security protections. Cybercriminals exploited these devices for large-scale ad fraud and other digital crimes.
Google promptly updated Google Play Protect to automatically combat BADBOX-related apps following the discovery of the botnet. This move comes shortly after the FBI issued a warning about the BADBOX 2.0 botnet.
BADBOX, first identified in late 2022, predominantly spreads through internet of things (IoT) devices like TV streaming devices, digital projectors, and aftermarket vehicle infotainment systems, many of which are manufactured in China.
The FBI cautioned that cybercriminals gain unauthorized access to home networks by pre-loading products with malicious software or infecting devices during the download of required applications that contain backdoors.
According to HUMAN Security, BADBOX is the largest botnet of infected connected TV (CTV) devices, with most infections reported in Brazil, the United States, Mexico, and Argentina.
Early iterations of the malware spread through supply chain compromises, but now infections propagate via malicious apps from unofficial sources.
Google’s complaint filed on July 11, 2025, alleges that the BADBOX enterprise comprises multiple groups responsible for different criminal activities:
- The Infrastructure Group manages BADBOX 2.0’s primary command-and-control (C2) infrastructure.
- The Backdoor Malware Group develops and pre-installs backdoor malware in the bots.
- The Evil Twin Group conducts an ad fraud campaign by creating “evil twin” versions of legitimate apps to serve ads.
- The Ad Games Group generates ads using fraudulent “games.”
Google also accused BADBOX 2.0 actors of profiting from ad fraud on its network through various schemes like hidden ads, hidden web browsers, and click fraud.
The court issued a preliminary injunction mandating the immediate cessation of BADBOX 2.0 operations globally and compelling third-party assistance in dismantling the botnet’s infrastructure.
Stu Solomon, CEO of HUMAN Security, praised Google’s action against the BADBOX 2.0 threat actors, emphasizing the importance of collaborative efforts in combating such sophisticated fraud operations.
