Google has filed a lawsuit in a New York federal court targeting the operators of the BadBox 2.0 botnet, a massive malware operation that silently compromised over 10 million Android-based devices to commit large-scale ad fraud and cybercrime.
The tech giant aims to dismantle what it describes as the largest known botnet of internet-connected TV devices.
The legal action, supported by evidence from cybersecurity firms HUMAN Security and Trend Micro, alleges that the botnet’s perpetrators, cybercriminal groups based primarily in China, infected uncertified Android Open Source Project (AOSP) devices with pre-installed malware. These devices included smart TVs, projectors, and tablets not protected by Google Play Protect, making them ideal candidates for covert supply-chain compromise and exploitation.
The botnet’s infrastructure, uncovered earlier this year, enabled a sophisticated criminal network to gain persistent access to infected devices via a backdoor malware module known as “BB2DOOR.” The malicious code allowed remote attackers to deliver additional payloads, execute ad fraud, and sell access to infected devices as residential proxies, which were then used to facilitate account takeovers, DDoS attacks, credential theft, and even one-time-password interception.
This legal action follows Google’s earlier disruption efforts in partnership with law enforcement and security vendors, including the takedown of 24 malicious apps and the suspension of thousands of ad-related publisher accounts tied to the BadBox network.
According to the complaint, BadBox 2.0 was operated by a constellation of interconnected threat actor groups. The Infrastructure Group managed the core command-and-control (C2) servers; the Backdoor Malware Group developed and distributed the BB2DOOR implant; and two additional groups, Evil Twin and Ad Games, specialized in delivering fraudulent traffic via hidden web browsers and cloned malicious apps. Many of these apps mimicked legitimate ones but secretly rendered invisible ads in the background, inflating ad revenue for publishers under the operators' control.
The malware was often delivered via supply chain tampering, where threat actors installed compromised versions of AOSP firmware before devices reached consumers. In other cases, users were tricked into sideloading apps from unofficial sources, unknowingly inviting malware onto their devices.
Google’s complaint accuses the unnamed defendants (Does 1–25) of violating the Computer Fraud and Abuse Act (CFAA) and the Racketeer Influenced and Corrupt Organizations Act (RICO), arguing that the BadBox 2.0 enterprise constitutes a criminal conspiracy designed to defraud advertisers, deceive consumers, and compromise the integrity of Google's ad infrastructure. The tech company is seeking both injunctive relief to shut down the botnet’s infrastructure and damages to recoup investigative and mitigation costs.
The botnet’s global footprint is vast, with infected devices observed in over 222 countries, heavily concentrated in Brazil, the U.S., Mexico, Argentina, and Colombia. Google estimates the botnet facilitated billions of fraudulent ad impressions per week, while also degrading device performance and security for consumers.
The case is a reminder of the broader risks associated with uncertified AOSP devices, which often bypass security vetting and ship without Google's malware protection tools. The company reiterated its warning that users should only purchase Play Protect-certified devices and avoid installing software from unofficial app marketplaces.
Leave a Reply