Article Details

Google sues to disrupt BadBox 2.0 botnet infecting 10 million devices. Google has filed a lawsuit against the anonymous operators of the Android BadBox 2.0 malware botnet, accusing them of running a global ad fraud scheme against the company's advertising platforms. The BadBox 2.0 malware botnet is a cybercrime operation that utilizes infected Android Open Source Project (AOSP) devices, including smart TVs, streaming boxes, and other connected devices that lack security protections, such as Google Play Protect. These devices become infected either by threat actors purchasing low-cost AOSP devices, modifying the operating system to include the BadBox 2 malware, and then reselling them online, or by tricking users into downloading and installing malicious apps on their devices that contain the malware. The malware then becomes a backdoor that connects to command-and-control (C2) servers operated by the attackers, where it receives commands to execute on the device. Once compromised, devices become part of the BadBox 2.0 botnet, where they are turned into residential proxies sold to other cybercriminals without the victims' knowledge or are used to conduct ad fraud. Google's lawsuit primarily focuses on the ad fraud component, which the botnet commonly conducts against the company's advertising platforms. This ad fraud is done in three ways: In December 2024, the original BadBox botnet was disrupted by Germany after the country blocked communication between the infected devices and their command and control (C2) infrastructure by sinkholing DNS queries. However, that did not stop the criminal enterprise, as the threat actors quickly launched BadBox 2.0, which is now believed to have infected over 10 million Android-based devices as of April 2025. Google's complaint says that there are more than 170,000 infected devices in New York state alone. Google's complaint states that it has already terminated thousands of publisher accounts linked to the operation, but warns that the botnet continues to grow and poses an increasing cybersecurity risk.  "If the BadBox 2.0 Scheme is not disrupted, it will continue to proliferate," warns Google. "The BadBox 2.0 Enterprise will continue to generate revenue, will use those proceeds to expand its reach, producing new devices and new malware to fuel its criminal activity, and Google will be forced to continue expending substantial financial resources to investigate and combat the Enterprise's fraudulent activity." Because the defendants are unknown and believed to reside in China, Google is pursuing relief under the Computer Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations (RICO) Act. The company seeks damages and a permanent injunction to dismantle the malware infrastructure and prevent the further spread of the malware. Included in the complaint is a list of over 100 internet domains that are part of the cybercrime operation's infrastructure. 8 Common Threats in 2025 While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.