Edward Kiledjian's Threat Intel

Google sues alleged operators of BadBox 2.0 botnet infecting 10 million Android devices

Google has filed a landmark lawsuit against 25 unnamed individuals based in China, alleging they orchestrated a global Android botnet operation—dubbed BadBox 2.0—that has compromised more than 10 million devices and generated illicit revenue through ad fraud.

The complaint, lodged in a New York federal court, invokes the Computer Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations Act (RICO). It seeks damages and a permanent injunction to dismantle the botnet’s infrastructure, which spans over 100 domains. Google is collaborating with the FBI to advance enforcement efforts.

At the heart of the scheme are low-cost, uncertified Android Open Source Project (AOSP) devices—smart TVs, projectors, tablets, streaming boxes, digital picture frames and even in-car systems—embedded with BadBox malware before reaching consumers. Infections typically stem from supply chain tampering, in which attackers preload malware during the manufacturing or distribution phase. Some infections also occur via malicious app downloads from third-party sources.

Once active, the malware turns infected hardware into residential proxies sold to other cybercriminals, while also executing hidden ad renders, automated ad clicks, and fake web-based game interactions—collectively siphoning revenue from Google’s advertising ecosystem.

Google reports over 170,000 infected devices in New York alone as of April 2025. Despite major mitigation efforts—including thousands of terminated publisher accounts and Play Protect enhancements—the botnet continues to operate.

This legal action follows the December 2024 takedown of the original BadBox 1.0 infrastructure, when German authorities sinkholed its command-and-control servers. The rapid pivot to BadBox 2.0 highlights the adaptability of its operators and exposes the broader risks tied to uncertified Android ecosystems.

What you can do

Experts advise consumers and organizations to:

  • Avoid purchasing devices from unverified sources.
  • Enable protections such as Google Play Protect, where supported.
  • Monitor network activity for unusual patterns.

As supply chain attacks escalate, BadBox 2.0 serves as a cautionary tale for vendors, regulators and buyers alike.