Article Details

Google sues 25 alleged BadBox 2.0 botnet operators, all of whom are in China. Ads giant complains of damage to its reputation and finances ... and crime, too. Google has filed a lawsuit against 25 unnamed individuals in China it accuses of breaking into more than 10 million devices worldwide and using them to build a botnet, called BadBox 2.0, and then to carry out other cybercrimes and fraud. "As of April 2025, BadBox 2.0 is comprised of more than ten million infected AOSP-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems," according to the lawsuit [PDF]. "In fact, BadBox 2.0 is the largest botnet of infected [connected TVs] CTVs ever uncovered and expands beyond CTVs to include additional devices such as tablets, digital projectors, and others." "This lawsuit enables us to further dismantle the criminal operation behind the botnet, cutting off their ability to commit more crime and fraud," according to a Thursday blog post. The search and ads giant also has a selfish motive, as its filing alleges BadBox “interferes with Google’s relationships with its users (and potential users), harms Google’s reputation, impairs the value of Google’s products and services, and forces Google to devote substantial resources to investigate and combat the botnet’s harmful activity.” It's unlikely the suit will see any of the accused held to account, as they’re in China and the Middle Kingdom seldom allows extraditions to the USA. Google, working with Trend Micro, Human Security and the Shadowserver Foundation, previously identified the C2 servers and domains directing the hijacked devices. So assuming the court sides with Google, this lawsuit would allow the tech giant to sinkhole those C2 domains - further disrupting BadBox 2.0's operations. Bigger and badder than ever The first BadBox outbreak occurred in late 2022 after attackers infected around 74,000 off-brand Android-powered internet-connected TV devices with backdoors. Human Security's Satori researchers helped disrupt the operation by taking down its ad-fraud infrastructure and C2 servers. Earlier this year, however, the Satori team sounded the alarm on BadBox 2.0. Once again, Human Security partnered with private firms and law enforcement to partially disrupt its infrastructure. But even after that effort to quash BadBox 2.0, the FBI issued a Public Service Announcement warning consumers that cybercriminals continue to exploit Android devices, meaning the botnet continued to expand. So did BadBox’s residential-proxy infrastructure, which allows attackers to use real IP addresses assigned to residential users as a means of masking malicious network traffic. The threat actors then use this access to launch distributed denial of service (DDoS) and other attacks from an infected device, or sell access to the device's IP address to other miscreants. Users of the infected boxes seldom learn that their connected TV is part of a botnet, according to Human Security. The security shop previously documented account takeovers, fake account creations, credential stealing, sensitive information exfiltration, and DDoS attacks perpetrated by downstream miscreants who bought residential proxy services from the BadBox operators. Plus, as Human Security CISO Gavin Reid told The Register in an earlier interview: "We expect there will be a Badbox 3." The BadBox 2.0 Enterprise The lawsuit provides a detailed look at how the BadBox works — Google calls this the "BadBox 2.0 Enterprise" — and it includes several different groups that design and carry out various parts of the operation targeting internet-connected devices both before and after the consumer receives the equipment. First, the Infrastructure Group develops and manages BadBox 2.0's primary C2 servers and domains. The lawsuit lists all of the known domains used by the Enterprise. There's also a "Backdoor Malware Group," responsible for preinstalling backdoors in the bots that are used to operate a portion of the botnet and sell access to proxy devices used for ad fraud and other money-making schemes. The Enterprise also has groups that maintain secondary infrastructure, scheme-specific malware, and scheme-specific apps and websites used on the infected devices. This includes domains and C2 servers used to operate malware packages and monetize ad space. "The groups comprising this segment of the Enterprise operate various malware packages to conduct fraudulent schemes, such as providing downstream proxy access to infected devices or to conduct ad fraud," the lawsuit states, and it lists two of the threat groups behind this secondary infrastructure. There's the Evil Twin Group, which creates apps for ad-fraud campaigns that use "evil twin" apps — malicious copies of legit apps sold in the Google Play Store — to trick users into downloading the evil duplicate and also to generate ads. These also launch hidden web browsers that load hidden ads. Additionally, the Ad Games Group is connected to a hidden web browser scheme conducted through infected devices that uses fraudulent "games" to generate ads. According to the lawsuit, all of these various threat-actor groups remain connected to each other through the shared infrastructure as well as "historical and current business ties." It continues: The Enterprise works together to carry out the BadBox 2.0 Scheme; none of the schemes can generate revenue without multiple members' participation and coordination. The Enterprise forms a centralized C2 Server ecosystem, develops, exploits, and sells backdoor access to individual devices to connect those devices to the central C2 Servers, and uses that access to attack the digital advertising ecosystem from multiple angles. When asked about the lawsuit, Human Security CEO Stu Solomon told The Register that his company applauds Google's action. "This takedown marks a significant step forward in the ongoing battle to secure the internet from sophisticated fraud operations that hijack devices, steal money, and exploit consumers without their knowledge," Solomon said. "We're proud to have been deeply involved in this operation, working in close partnership with Google, Trend Micro, and the Shadowserver Foundation. Their collaboration has been invaluable in helping us expose and dismantle this threat."