Google has filed a lawsuit in a New York federal court against 25 unidentified individuals or entities based in China, accusing them of running the BADBOX 2.0 botnet and an extensive residential proxy network. The tech giant claims the botnet compromised over 10 million Android devices globally, primarily through pre-installed malware on uncertified devices lacking Google’s security protocols.
“The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android’s open-source software (Android Open Source Project), which lacks Google’s security protections,” Google stated. These infected devices were then exploited for large-scale ad fraud and other forms of cybercrime. In response, Google updated its Google Play Protect system to automatically detect and block BADBOX-related threats.
The lawsuit follows a recent alert from the FBI, which warned that BADBOX, initially identified in late 2022, was spreading through Internet of Things (IoT) devices such as smart TVs, projectors, digital frames, and vehicle infotainment systems—most of which are manufactured in China. The FBI noted that these devices are either preloaded with malware during manufacturing or infected through malicious apps during setup.
A March 2025 report by HUMAN Security identified BADBOX as the largest known botnet involving compromised connected TV devices, with most infections reported in Brazil, the U.S., Mexico, and Argentina. The botnet’s evolution has seen a shift from supply chain attacks to malware infections via unofficial app stores.
Google’s complaint, filed on July 11, outlines how the BADBOX operation is structured into specialized groups. These include:
- The Infrastructure Group (managing the botnet’s command-and-control servers)
- The Backdoor Malware Group (responsible for implanting malware)
- The Evil Twin Group (creating deceptive app versions to serve hidden ads)
- The Ad Games Group (using fake games to generate ad revenue)
According to Google, “The sole purpose of the Enterprise’s apps and websites is to provide ad space for BADBOX 2.0 bots to generate traffic,” which fraudulently earns ad revenue through fake impressions and click fraud schemes.
The court has issued a preliminary injunction, compelling the BADBOX operators to halt their activities and directing ISPs and domain registrars to help disable the botnet infrastructure. HUMAN Security CEO Stu Solomon praised the action as “a significant step forward in the ongoing battle to secure the internet.”
