- Google is suing 25 Chinese entities for operating BADBOX 2.0 botnet.
- The BADBOX 2.0 botnet has compromised over 10 million Android devices.
- Cybercriminals used pre-installed malware for ad fraud and other crimes.
- FBI previously warned about BADBOX 2.0’s extensive reach via IoT devices.
- This botnet is believed to affect devices primarily manufactured in China.
Google’s Legal Action Against BADBOX 2.0 Botnet
On Thursday, Google confirmed that it is taking legal action in a New York federal court against 25 unidentified individuals or entities based in China. These parties are believed to be responsible for running the BADBOX 2.0 botnet, which has reportedly compromised over 10 million uncertified Android devices. The tech giant noted that these devices operate on Android’s open-source software and notably lack critical security protections offered by Google. Therefore, the implications on both device integrity and user safety are steep, and Google’s swift response is aimed at protecting its ecosystem.
How BADBOX 2.0 Spreads and Its Risks
BADBOX 2.0 has come a long way since its initial detection in late 2022, with its spread largely occurring through internet of things devices. These devices—ranging from TV streaming options to digital picture frames—are often manufactured in China and can be compromised either prior to purchase or during the setup phase. The FBI has even issued warnings about the dangers of this botnet, detailing how malware can gain unauthorized access to home networks. In an analysis by HUMAN Security, BADBOX was flagged as the largest botnet infecting connected TV devices—and its footprint is alarming, particularly in regions like Brazil, Mexico, and the United States where infections have proliferated.
The Organizational Structure of BADBOX
In a detailed complaint filed on July 11, 2025, Google detailed the organizational structure of the BADBOX enterprise, identifying different groups within the network involved at various levels. These include an Infrastructure Group managing the core command-and-control functions, a Backdoor Malware Group responsible for embedding malware, and an Evil Twin Group focused on ad fraud strategies. Google alleges that some of these actors have gone so far as to set up fake publisher accounts on its ad network, thereby profiting from misleading ad impressions. The magnitude of this operation speaks to the evolving tactics employed by cybercriminals to exploit vulnerabilities and profit using seemingly benign applications.
Google’s legal initiative addresses a significant cybersecurity threat posed by BADBOX 2.0, which has compromised millions of devices through various deceptive means. The ongoing battle against such sophisticated fraud operations is crucial for consumer protection and securing the integrity of online platforms. This case not only highlights the need for rigorous security measures but also emphasizes collaborative efforts among tech firms to dismantle these cybercriminal enterprises.