Google on Thursday revealed it’s pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure.
“The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android’s open-source software (Android Open Source Project), which lacks Google’s security protections,” the tech giant said.
“Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”
The company said it immediately took steps to update Google Play Protect, a malware and unwanted software protection mechanism built into Android, to automatically thwart BADBOX-related apps.
The development comes a little over a month after the U.S. Federal Bureau of Investigation (FBI) issued a warning about the BADBOX 2.0 botnet.
BADBOX, first detected in late 2022, is known to spread via internet of things (IoT) devices such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products, most of which are manufactured in China.
“Cybercriminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process,” the FBI warned.
In an analysis published earlier this March, HUMAN Security described the threat as the largest botnet of infected connected TV (CTV) devices ever uncovered to date. The vast majority of BADBOX infections have been reported in Brazil, the United States, Mexico , and Argentina.
While early iterations of the malware were propagated via supply chain compromises that backdoored the IoT devices with malware prior to purchase, the attack chains have since adapted to allow infections to spread via malicious apps downloaded from unofficial marketplaces.
More than 10 million devices are estimated to have been roped into the botnet, allowing its operators to sell access to compromised home networks to facilitate various kinds of illicit activity by other threat actors.
In a complaint filed on July 11, 2025, Google alleged that the BADBOX enterprise comprises multiple groups, each of which are responsible for different aspects of the criminal infrastructure –
- The Infrastructure Group, which established and manages BADBOX 2.0’s primary command-and-control (C2) infrastructure
- The Backdoor Malware Group, which develops and pre-installs backdoor malware in the bots
- The Evil Twin Group, which are behind an ad fraud campaign that creates “evil twin” versions of legitimate apps available on Google Play Store to serve ads and launch hidden web browsers that load hidden ads
- The Ad Games Group, which uses fraudulent “games” to generate ads
The company also accused BADBOX 2.0 actors of creating publisher accounts on the Google Ad Network to offer ad space on their apps or websites, for which they are compensated by Google.
“The sole purpose of the Enterprise’s apps and websites is to provide ad space for BADBOX 2.0 bots to generate traffic,” Google said. “The Enterprise will deploy BADBOX 2.0 bots to ‘view’ those ads, generating numerous impressions of the ad. Google pays the BADBOX 2.0 Enterprise […] for those impressions.”
Furthermore, Google pointed out the illegal operation allows the threat actors to profit from ad fraud on its network in three different ways: Using seemingly legitimate apps to stealthily load hidden ads via the “evil twin” scheme, opening hidden web browsers and interacting with ads on game websites created by them, and leveraging infected devices to conduct click fraud.
“The court has issued a preliminary injunction, i.e. has mandated that the BADBOX 2.0 Enterprise immediately stop their botnet operations and associated criminal schemes globally, and has compelled third-party internet service providers and domain registries to actively assist in dismantling the botnet’s infrastructure, for instance, by blocking traffic to and from specified domains,” Google said.
In a statement shared with The Hacker News, Stu Solomon, CEO of HUMAN Security, welcomed Google’s action against the threat actors behind BADBOX 2.0, stating the effort exemplifies the power of collaborating against such threats.
“This takedown marks a significant step forward in the ongoing battle to secure the internet from sophisticated fraud operations that hijack devices, steal money, and exploit consumers without their knowledge,” Solomon added.
