Google Sues Operators of BadBox 2.0 Botnet That Infected Over 10 Million Devices

Red Dog Security

2 min read
Google Sues Operators of BadBox 2.0 Botnet That Infected Over 10 Million Devices

Google has filed a landmark lawsuit against the anonymous operators of BadBox 2.0, an Android-based botnet responsible for infecting more than 10 million devices worldwide. The tech giant accuses the group of orchestrating a massive ad fraud operation that exploited Google’s advertising platforms and siphoned illicit revenue on a global scale.

What Is BadBox 2.0?

BadBox is a sophisticated strain of Android malware, derived from the notorious Triada malware family. It often comes pre-installed on low-cost devices—such as smartphones, tablets, TV boxes, and smart TVs—or spreads via malicious apps, some of which have even slipped past Google Play’s defenses and into third-party app stores.

Once a device is compromised, typically running the Android Open Source Project (AOSP), it becomes part of the BadBox 2.0 botnet, enabling the following activities:

  • Data theft
  • Silent malware installations
  • Remote access to infected networks
  • Ad fraud (e.g., fake clicks and hidden ad views)
  • Residential proxy services (resold to other threat actors)

How the Ad Fraud Works

Google’s legal complaint (full text in PDF) outlines three primary schemes used to generate fraudulent advertising revenue:

• Hidden Ad Injection

Malicious clone apps secretly load ads from attacker-controlled websites, appearing legitimate to ad networks while invisible to users.

• Web Game Fraud

The botnet launches headless browser windows to "play" fake web games, rapidly cycling through ad impressions.

• Click Fraud

Automated bots conduct fake searches on attacker-run sites monetized via AdSense for Search, generating significant income with minimal oversight.

A Persistent Threat

The malware first made headlines in 2023 when researcher Daniel Milisic discovered infected T95 Android TV boxes sold through Amazon. Despite takedown efforts, BadBox has proven unusually resilient:

  • Late 2024: German police dismantled part of the infrastructure.
  • December 2024: Infection levels rebounded to over 192,000 devices.
  • 2025: A coalition including Human Security, Google, Trend Micro, and Shadowserver launched a broader takedown, sinkholing domains tied to 500,000 devices.

Still, the FBI has warned that the botnet is regrowing as more infected devices hit the market.

Current Scope

As of April 2025, BadBox 2.0 has compromised more than 10 million Android devices globally, including 170,000+ in New York alone.

Google has since banned thousands of publisher accounts linked to the scheme. However, the infrastructure behind BadBox remains operational.

Given the anonymous and likely offshore nature of the operation—believed to be based in China—Google has filed suit against 25 unnamed defendants under:

  • The Computer Fraud and Abuse Act (CFAA)
  • The Racketeer Influenced and Corrupt Organizations Act (RICO)

The lawsuit seeks both monetary damages and a permanent injunction to shut down the infrastructure supporting BadBox 2.0. It lists more than 100 domains tied to the malware operation.

“If BadBox 2.0 isn’t stopped, the botnet will keep expanding—funding new malware, devices, and criminal operations—forcing Google to spend significant resources fighting this fraud,” the company warned.

Key Takeaway

The BadBox 2.0 case is a wake-up call about the hidden dangers of uncertified Android hardware and the growing complexity of botnet-driven ad fraud. As cybercriminals increasingly exploit the supply chain to pre-install malware, consumers should:

✔ Avoid ultra-cheap, uncertified Android devices
✔ Monitor devices for unexpected ads, apps, or performance issues
✔ Report suspicious behavior to trusted security vendors

Read more