Google has initiated legal action in New York federal court against 25 unnamed Chinese individuals and entities. The lawsuit targets the alleged operators of the "BADBOX 2.0" botnet, which has compromised over 10 million uncertified Android devices. This sophisticated operation is accused of engaging in large-scale ad fraud and other digital crimes.

Google Takes Legal Action Against Badbox 2.0 Botnet

Google announced on Thursday its lawsuit against 25 Chinese entities for their alleged involvement in operating the BADBOX 2.0 botnet. This botnet has reportedly infected more than 10 million uncertified Android devices, which lack Google's inherent security protections. The tech giant asserts that cybercriminals pre-installed malware on these devices, exploiting them for extensive ad fraud and various other digital illicit activities.

Understanding The Badbox 2.0 Threat

BADBOX 2.0, first identified in late 2022, primarily spreads through Internet of Things (IoT) devices such as TV streaming devices, digital projectors, and aftermarket vehicle infotainment systems, many of which are manufactured in China. The U.S. Federal Bureau of Investigation (FBI) previously issued a warning about this botnet. Initial infections occurred via supply chain compromises, where devices were backdoored with malware before purchase. More recently, the attack vectors have evolved to include malicious applications downloaded from unofficial marketplaces.

The Anatomy Of The Badbox Enterprise

Google's complaint, filed on July 11, 2025, details that the BADBOX enterprise is structured into multiple groups, each responsible for distinct aspects of the criminal infrastructure:

• The Infrastructure Group: Manages BADBOX 2.0's primary command-and-control (C2) infrastructure.

• The Backdoor Malware Group: Develops and pre-installs backdoor malware on compromised devices.

• The Evil Twin Group: Conducts ad fraud by creating "evil twin" versions of legitimate Google Play Store apps to serve hidden ads and launch hidden web browsers.

• The Ad Games Group: Uses fraudulent "games" to generate ad impressions.

Financial Exploitation And Google's Response

The BADBOX 2.0 actors are accused of creating publisher accounts on the Google Ad Network to offer ad space. They then deploy BADBOX 2.0 bots to "view" these ads, generating numerous impressions for which Google compensates the enterprise. This scheme allows the threat actors to profit from ad fraud in several ways:

• Stealthily loading hidden ads via the "evil twin" scheme.

• Opening hidden web browsers and interacting with ads on their game websites.

• Leveraging infected devices to conduct click fraud.

Google has updated Google Play Protect to automatically thwart BADBOX-related applications. Furthermore, a court has issued a preliminary injunction, mandating the immediate cessation of BADBOX 2.0 operations globally. Third-party internet service providers and domain registries have been compelled to assist in dismantling the botnet's infrastructure by blocking traffic to and from specified domains.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Key Takeaways

• Google is suing 25 Chinese entities over the BADBOX 2.0 botnet.

• The botnet has compromised over 10 million uncertified Android devices.

• BADBOX 2.0 is used for large-scale ad fraud and other digital crimes.

• The operation involves multiple specialized groups.

• Google has implemented protective measures and secured a preliminary injunction to dismantle the botnet.

Sources

• Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Affecting 10M Android Devices, The Hacker News.