17.07.2025
2 min
490
Google has filed a major lawsuit against 25 unidentified individuals linked to BADBOX 2.0, a massive botnet that has infected over 10 million Android devices globally. According to Google, the attackers use compromised smart TVs, streaming boxes, and other AOSP-based devices for ad fraud, proxy resale, and large-scale cyberattacks.
BADBOX 2.0 primarily targets Android Open Source Project (AOSP) devices that lack Google Play Protect. Some of these gadgets come pre-infected at the firmware level, while others get compromised by tricking users into installing malicious apps. Once infected, the device becomes part of the botnet, connects to attacker-controlled C2 servers, and executes malicious commands.
In its lawsuit, Google outlines three main types of fraud conducted by BADBOX 2.0:
Hidden ad rendering via fake pre-installed apps;
Invisible browsers auto-navigating gaming sites loaded with Google Ads;
Search ad click fraud through automated queries on AdSense for Search.
Even though the original BADBOX botnet was disrupted in 2024 through DNS sinkholing in Germany, it quickly returned as BADBOX 2.0. By 2025, over 170,000 active infected devices have been detected in New York alone.
Google highlights that many of these infected devices are sold on the secondary market — cheap smart gadgets manufactured in China, with BADBOX already embedded in the firmware. This makes it impossible to remove via traditional methods.
The lawsuit is filed under the Computer Fraud and Abuse Act (CFAA) and the Racketeer Influenced and Corrupt Organizations (RICO) Act, claiming the criminal group is a coordinated network with distributed roles: some develop the botnet infrastructure, others sell proxy access, launch hidden browser sessions, control traffic, domains, and ad operations.
BADBOX first emerged around 2023–2024, using the same techniques: ad fraud and DDoS via infected Android devices. A coordinated takedown operation involved Google, Trend Micro, Shadowserver, and Human Security. Several C2 servers were dismantled, but the botnet resurfaced. According to Shadowserver, over 5 million devices are still actively trying to reach attacker servers.
BADBOX 2.0 is more than just another Android virus — it’s a global-scale infrastructure threat. It hijacks millions of devices, generates revenue through invisible ads and fake traffic, and is extremely hard to eliminate. Google’s legal pressure aims to disrupt the operation entirely, but as long as C2 servers remain active and devices continue to ship with embedded malware, the threat remains very real.
