Google has taken the unprecedented legal step of filing a federal lawsuit in an attempt to dismantle the sprawling "BadBox 2.0" Android botnet, believed to have infected a staggering 10 million devices worldwide. This move targets the anonymous operators, suspected to be based in China, accusing them of orchestrating a sophisticated cybercrime enterprise centered on massive advertising fraud and the illicit sale of compromised device access.

The Anatomy of BadBox 2.0 Infection:
The botnet primarily targets devices running the Android Open Source Project (AOSP), often found in budget smart TVs, streaming boxes, and other connected devices lacking robust security like Google Play Protect. Infection occurs through two main vectors:

  1. Compromised Supply Chain: Threat actors purchase low-cost AOSP devices, pre-install the BadBox 2.0 malware directly into the operating system firmware, and resell the infected hardware online.
  2. Malicious Apps: Users are tricked into downloading and installing seemingly legitimate applications that carry the hidden BadBox payload.

Once infected, the malware establishes a persistent backdoor, connecting the device to command-and-control (C2) servers. This allows the operators to remotely issue commands, transforming the device into a node within the massive BadBox 2.0 botnet.

Monetizing the Millions: Ad Fraud & Proxies:
The compromised devices serve two primary criminal purposes:

  • Residential Proxy Service: Device resources are sold to other cybercriminals as "residential proxies," masking malicious traffic behind legitimate-looking IP addresses, all without the device owner's knowledge.
  • Large-Scale Ad Fraud (Google's Focus): The lawsuit details three intricate methods used to defraud Google's advertising platforms:
    • Hidden Ad Rendering: Silently installing fake "evil twin" apps that load and display hidden ads in the background on attacker-controlled websites displaying Google ads, generating fraudulent revenue.
    • Web-Based Game Fraud: Launching invisible browsers to automatically play rigged games on specific sites, rapidly triggering ad views that pay out to the attackers.
    • Search Ad Click Fraud: Forcing infected devices to perform search queries on attacker-operated sites using Google's AdSense for Search, generating revenue from the displayed ads.

A Persistent Threat: From BadBox to BadBox 2.0:
This lawsuit follows the partial disruption of the original BadBox botnet in December 2024, achieved when German authorities sinkholed its C2 infrastructure. However, the operators swiftly regrouped, launching the more resilient BadBox 2.0 variant. Google states that as of April 2025, this new iteration had already compromised over 10 million devices, with more than 170,000 infections identified in New York state alone. Despite Google terminating thousands of associated publisher accounts, the botnet continues to grow.

"If the BadBox 2.0 Scheme is not disrupted, it will continue to proliferate," Google warns in its complaint. "The BadBox 2.0 Enterprise will continue to generate revenue, will use those proceeds to expand its reach, producing new devices and new malware to fuel its criminal activity."

Legal Gambit Against Anonymous Actors:
Facing anonymous adversaries believed to be operating from China, Google is pursuing an aggressive legal strategy. The company is invoking the Computer Fraud and Abuse Act (CFAA) and the powerful Racketeer Influenced and Corrupt Organizations Act (RICO). Google seeks substantial damages and, critically, a permanent injunction to dismantle the malware's infrastructure, including over 100 identified domains listed in the complaint, and prevent its further spread.

This lawsuit represents a significant escalation in the fight against sophisticated, large-scale mobile botnets. It underscores the severe financial and security risks posed by compromised AOSP devices flooding the market and highlights the challenges platforms face when threat actors operate from jurisdictions with limited cooperation. The outcome could set a crucial precedent for holding anonymous cybercriminal enterprises accountable through civil litigation, even when traditional law enforcement routes are obstructed. For developers and security professionals, it's a stark reminder of the vulnerabilities in the fragmented Android ecosystem and the lucrative persistence of ad fraud operations.

Source: Based on reporting by Lawrence Abrams for BleepingComputer (July 17, 2025).