On July 17, 2025, Google announced it has filed a lawsuit in the U.S. District Court for the Southern District of New York against 25 unidentified individuals or entities based in China. The tech giant alleges these defendants are responsible for operating the BADBOX 2.0 botnet, which has compromised over 10 million uncertified Android devices worldwide.
Overview of the BADBOX 2.0 Botnet
BADBOX 2.0 is a sophisticated botnet that targets devices running the Android Open Source Project (AOSP), which lack Google’s built-in security protections. The malware infiltrates devices through two primary methods:
1. Pre-Installed Malware: Devices are infected during the manufacturing process, resulting in consumers purchasing compromised products.
2. Malicious Applications: Users inadvertently download harmful apps from unofficial marketplaces, leading to device infection.
Once compromised, these devices become part of a botnet used to execute large-scale ad fraud and other digital crimes.
Google’s Response and Legal Action
Upon discovering the botnet, Google promptly updated Google Play Protect, its built-in malware defense system, to automatically block BADBOX-related applications. This proactive measure aimed to protect users from further infections.
The lawsuit, filed on July 11, 2025, outlines the structure of the BADBOX enterprise, identifying several specialized groups within the operation:
– Infrastructure Group: Responsible for establishing and managing the botnet’s command-and-control (C2) infrastructure.
– Backdoor Malware Group: Develops and pre-installs malware on devices, creating unauthorized access points.
– Evil Twin Group: Creates counterfeit versions of legitimate apps to serve hidden ads and launch concealed web browsers.
– Ad Games Group: Utilizes fraudulent games to generate ad impressions and clicks.
Google alleges that the BADBOX operators created publisher accounts on the Google Ad Network, offering ad space on their compromised apps and websites. The botnet then generates fake traffic to these ads, leading to fraudulent revenue. This scheme not only defrauds advertisers but also undermines trust in digital advertising platforms.
Broader Implications and Industry Response
The BADBOX 2.0 botnet represents one of the most significant cyber threats in recent years. In June 2025, the FBI issued a warning about the botnet, highlighting its rapid spread and the substantial risk it poses to consumers and businesses alike.
Cybersecurity firms have also been actively involved in combating BADBOX. In March 2025, HUMAN Security described it as the largest botnet of infected connected TV devices ever uncovered, with infections reported predominantly in Brazil, the United States, Mexico, and Argentina.
Stu Solomon, CEO of HUMAN Security, commended Google’s legal action, stating that it exemplifies the power of collaboration in addressing such sophisticated threats. He emphasized that dismantling operations like BADBOX is crucial for maintaining the integrity of the internet and protecting consumers from exploitation.
Conclusion
Google’s lawsuit against the operators of the BADBOX 2.0 botnet underscores the company’s commitment to safeguarding its users and the broader digital ecosystem. By targeting the alleged perpetrators through legal channels, Google aims to dismantle the botnet’s infrastructure and prevent further exploitation of compromised devices. This case highlights the ongoing challenges in cybersecurity and the importance of vigilance and collaboration among tech companies, law enforcement, and cybersecurity professionals to combat emerging threats.
