Google sues anonymous operators behind BadBox malware in unprecedented legal move

In an unconventional move to combat sophisticated cybercrime, Google has filed a federal lawsuit against the anonymous operators of the pervasive BadBox 2.0 Android malware botnet. The tech giant accuses the unknown individuals, believed to be based in China, of orchestrating a global ad fraud scheme that has compromised over 10 million Android-based devices worldwide, including smart TVs and streaming boxes.

The lawsuit, filed in New York federal court, marks a significant escalation in Google's efforts to disrupt the increasingly prevalent and financially damaging threat of ad fraud.

The company is seeking damages and a permanent injunction to dismantle the malware infrastructure and prevent its further spread, invoking both the Computer Fraud and Abuse Act (CFAA) and the Racketeer Influenced and Corrupt Organizations (RICO) Act.

A new breed of malware

BadBox 2.0 is a successor to the original BadBox botnet, which German authorities disrupted in December 2024 by sinkholing its command-and-control (C2) infrastructure.

However, the criminal enterprise quickly re-emerged as BadBox 2.0, now infecting an estimated 10 million devices as of April 2025, with more than 170,000 devices reportedly compromised in New York state alone.

The botnet primarily targets devices running the Android Open Source Project (AOSP) that lack crucial security protections like Google Play Protect.

How BadBox 2.0 works

The malware typically finds its way onto devices through two primary vectors:

• Pre-installed infection: Threat actors purchase low-cost AOSP devices, modify the firmware to include the malware, and then resell them to unsuspecting buyers online.

• Malicious apps: Users are tricked into installing apps embedded with BadBox 2.0, which then quietly turns their devices into remote-controlled bots.

Once infected, the device connects to remote C2 servers and begins executing commands issued by the attackers.

Ad fraud at scale

Google's lawsuit specifically highlights the botnet's extensive ad fraud operations, which exploit the company's advertising platforms in three main ways:

• Hidden ad rendering: "Evil twin" apps are silently installed on infected devices, loading hidden ads in the background on attacker-controlled websites that feature Google ads. This generates fraudulent ad revenue for the perpetrators.

• Web-based game sites: Bots are programmed to launch invisible web browsers and play rigged games, rapidly triggering Google ad views and subsequently generating illicit revenue for attacker-controlled publisher accounts.

• Search ad click fraud: The bots perform search queries on attacker-operated websites utilizing AdSense for Search, manipulating search results to display advertisements and generate fraudulent ad revenue from clicks.

Beyond ad fraud, compromised devices are also reportedly sold to other cybercriminals as residential proxies without the victims' knowledge, further expanding the illicit activities enabled by the botnet.

A growing threat

Google's complaint emphasizes the escalating danger posed by BadBox 2.0, stating that if left unchecked, the "BadBox 2.0 Enterprise will continue to generate revenue, will use those proceeds to expand its reach, producing new devices and new malware to fuel its criminal activity, and Google will be forced to continue expending substantial financial resources to investigate and combat the Enterprise's fraudulent activity."