Google Takes Legal Action Against BADBOX 2.0 Botnet in New York
Overview of the Legal Action
On July 18, 2025, Google announced its pursuit of legal proceedings in a federal court in New York against 25 unidentified individuals and organizations based in China. These parties are believed to be responsible for operating the BADBOX 2.0 botnet alongside a network of residential proxies.
The Scale of the Threat
According to Google, the BADBOX 2.0 botnet has compromised over 10 million uncertified devices utilizing Android’s open-source platform, known as the Android Open Source Project. This framework notably lacks the security features that Google typically integrates into its products, making these devices particularly vulnerable.
Cybercriminals have used pre-installed malware to infect these devices, which they exploit for large-scale advertising fraud and various other digital criminal activities. In response to this growing threat, Google acted swiftly, rolling out an update to Google Play Protect—a built-in feature that safeguards Android devices from malware and unwanted applications—to block any apps linked to BADBOX.
Recent Warnings and Background
This legal action follows a warning issued by the Federal Bureau of Investigation (FBI) about the BADBOX 2.0 botnet, which first came to attention in late 2022. The FBI highlighted how these cybercriminals manage to illegally access home networks through Internet of Things (IoT) devices. This can occur when malicious software is embedded into the product before it reaches consumers or when devices are infected during the installation of necessary applications.
The Impact of BADBOX 2.0
Human Security, an analysis published earlier this year, identified BADBOX as the largest botnet affecting connected TV (CTV) devices to date. The majority of the infections have predominantly been reported in countries such as Brazil, the United States, Mexico, and Argentina.
Initially, the threat emerged through supply chain compromises where malware was pre-installed on the devices. However, the methods have evolved to now also include infections that spread through malicious applications downloaded from unofficial sources.
Organized Criminal Groups Behind BADBOX
Google’s complaint, filed on July 11, details the internal structure of the BADBOX operation. This involves multi-faceted groups working in synergy:
- Infrastructure Group: Responsible for creating and managing the botnet’s primary command-and-control infrastructure.
- Backdoor Malware Group: Focused on developing and pre-installing malware within the compromised devices.
- Evil Twin Group: Engaged in ad fraud by creating counterfeit versions of legitimate apps available on the Google Play Store, intended to serve ads and open covert web browsers that display hidden advertisements.
- Ad Games Group: Utilizes deceptive "games" to inflate advertisement views fraudulently.
Financial Exploitation Through Fraud
Google’s allegations highlight the systematic approach taken by BADBOX 2.0 actors to exploit the Google Ad Network. They allegedly generate revenue by creating publisher accounts to sell ad space on their platforms, for which they receive payment. Google has stated, "The sole purpose of the Enterprise’s apps and websites is to provide ad space for BADBOX 2.0 bots to generate traffic," indicating a well-coordinated scheme designed to manipulate ad view metrics and generate unlawful impressions.
Legal and Technical Responses
The court has responded by issuing a preliminary injunction requiring the BADBOX 2.0 enterprise to cease all botnet activities and associated crimes worldwide. Additionally, the ruling obliges third-party internet service providers and domain registries to assist in dismantling the botnet’s infrastructure. This includes measures such as blocking traffic to and from specific domains linked to the operation.
Community Response
In a statement to The Hacker News, Stu Solomon, CEO of HUMAN Security, praised Google’s actions against the individuals involved with BADBOX 2.0. He remarked, “This takedown marks a significant step forward in the ongoing battle to secure the internet from sophisticated fraud operations that hijack devices, steal money, and exploit consumers without their knowledge.” This highlights the importance of collaboration among organizations to combat cybersecurity threats effectively.
Overall, Google’s legal actions and the collaborative stance from industry leaders suggest a concerted effort to mitigate digital threats and protect consumers from ongoing cyber risks.
