Google has initiated legal action against 25 unidentified individuals in China, claiming they have compromised over 10 million devices globally to create a botnet named BadBox 2.0. This botnet has allegedly been used for various cybercrimes and fraudulent activities.
According to the lawsuit, as of April 2025, BadBox 2.0 consists of more than ten million infected devices, including AOSP-based TV streaming boxes, tablets, projectors, and aftermarket car infotainment systems. The lawsuit states that this botnet is the largest discovered to date, affecting not just connected TVs but also other types of devices.
In a blog post, Google mentioned that this lawsuit aims to dismantle the criminal network behind the botnet, thereby reducing their capacity to commit further crimes and fraud.
However, it seems unlikely that the individuals involved will face consequences, as they are located in China, a country that rarely permits extradition to the United States.
Google, in collaboration with Trend Micro, Human Security, and the Shadowserver Foundation, has previously pinpointed the command and control (C2) servers and domains that manage the compromised devices.
If the court rules in favor of Google, the lawsuit could enable the company to take down those C2 domains, significantly disrupting the operations of BadBox 2.0.
The initial outbreak of BadBox occurred in late 2022 when around 74,000 unbranded Android-powered internet-connected TVs were infected with backdoors. Human Security’s Satori research team played a role in disrupting this operation by dismantling its ad-fraud infrastructure and C2 servers.
Earlier this year, the Satori team raised concerns about the resurgence of BadBox 2.0. They once again collaborated with private companies and law enforcement to partially disrupt its network.
Despite these efforts to combat BadBox 2.0, the FBI has warned consumers that cybercriminals continue to target Android devices, indicating that the botnet is still growing.
BadBox has also developed a residential-proxy system that allows attackers to mask their malicious activities by using real IP addresses assigned to residential users. This enables them to launch distributed denial of service (DDoS) attacks and sell access to the infected devices’ IP addresses. Users of these compromised devices often remain unaware that their TVs are part of a botnet.
The security firm has documented various criminal activities linked to BadBox, including account takeovers, fake account creation, credential theft, and DDoS attacks, which are carried out by individuals who purchase proxy services from the botnet operators.
As Human Security’s CISO, Gavin Reid, noted in an interview, there are expectations for the emergence of BadBox 3.
The lawsuit sheds light on the workings of BadBox, which Google refers to as the “BadBox 2.0 Enterprise.” It outlines several groups involved in different aspects of the operation, targeting internet-connected devices both before and after they reach consumers.
One group, known as the Infrastructure Group, is responsible for developing and managing the primary C2 servers and domains for BadBox 2.0. The lawsuit includes a list of all known domains associated with this enterprise.
Another group, the Backdoor Malware Group, is tasked with preinstalling backdoors in the infected devices, allowing them to operate a part of the botnet and sell access to proxy devices for ad fraud and other financial schemes.
The enterprise also includes groups that maintain secondary infrastructure, specific malware, and apps used on the infected devices. This encompasses domains and C2 servers that facilitate the operation of malware packages and the monetization of advertising space.
The lawsuit states that these various threat groups are interconnected through shared infrastructure and historical business relationships.
When approached for comment on the lawsuit, Human Security’s CEO, Stu Solomon, expressed support for Google’s actions.
He stated that this initiative represents a significant advancement in the ongoing effort to secure the internet from sophisticated fraud that hijacks devices, steals money, and exploits unsuspecting consumers.
Solomon highlighted the valuable collaboration between his company, Google, Trend Micro, and the Shadowserver Foundation in exposing and dismantling this threat.
Other Stories You May Like