Google has filed a lawsuit towards the nameless operators of the Android BadBox 2.0 malware botnet, accusing them of operating a world advert fraud scheme towards the corporate’s promoting platforms.
The BadBox 2.0 malware botnet is a cybercrime operation that makes use of contaminated Android Open Supply Undertaking (AOSP) gadgets, together with good TVs, streaming packing containers, and different linked gadgets that lack safety protections, corresponding to Google Play Defend.
These gadgets turn into contaminated both by risk actors buying low-cost AOSP gadgets, modifying the working system to incorporate the BadBox 2 malware, after which reselling them on-line, or by tricking customers into downloading and putting in malicious apps on their gadgets that comprise the malware.
The malware then turns into a backdoor that connects to command-and-control (C2) servers operated by the attackers, the place it receives instructions to execute on the machine.
As soon as compromised, gadgets turn into a part of the BadBox 2.0 botnet, the place they’re become residential proxies offered to different cybercriminals with out the victims’ data or are used to conduct advert fraud.
Google’s lawsuit primarily focuses on the advert fraud element, which the botnet generally conducts towards the corporate’s promoting platforms.
This advert fraud is completed in 3 ways:
- Hidden advert rendering: Pretend “evil twin” apps are silently put in on contaminated gadgets to load hidden adverts within the background on attacker-controlled web sites with Google adverts, producing fraudulent advert income for the operation.
- Net-based sport websites: Bots are instructed to launch invisible internet browsers and play rigged video games that quickly set off Google advert views. Every advert view ends in income for the attacker-controlled writer accounts.
- Search advert click on fraud: Bots are instructed to carry out search queries on attacker-operated web sites that make the most of AdSense for Search, producing promoting income from commercials proven within the retrieved search outcomes.
In December 2024, the unique BadBox botnet was disrupted by Germany after the nation blocked communication between the contaminated gadgets and their command and management (C2) infrastructure by sinkholing DNS queries.
Nonetheless, that didn’t cease the felony enterprise, because the risk actors shortly launched BadBox 2.0, which is now believed to have contaminated over 10 million Android-based gadgets as of April 2025. Google’s grievance says that there are greater than 170,000 contaminated gadgets in New York state alone.
Google’s grievance states that it has already terminated hundreds of writer accounts linked to the operation, however warns that the botnet continues to develop and poses an growing cybersecurity threat.
“If the BadBox 2.0 Scheme will not be disrupted, it’ll proceed to proliferate,” warns Google.
“The BadBox 2.0 Enterprise will proceed to generate income, will use these proceeds to broaden its attain, producing new gadgets and new malware to gasoline its felony exercise, and Google shall be pressured to proceed expending substantial monetary assets to analyze and fight the Enterprise’s fraudulent exercise.”
As a result of the defendants are unknown and believed to reside in China, Google is pursuing aid below the Laptop Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations (RICO) Act.
The corporate seeks damages and a everlasting injunction to dismantle the malware infrastructure and stop the additional unfold of the malware.
Included within the grievance is an inventory of over 100 web domains which can be a part of the cybercrime operation’s infrastructure.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
