Google has filed a lawsuit in opposition to the nameless operators of the Android BadBox 2.0 malware botnet, accusing them of operating a worldwide advert fraud scheme in opposition to the corporate’s promoting platforms.
The BadBox 2.0 malware botnet is a cybercrime operation that makes use of contaminated Android Open Supply Venture (AOSP) units, together with good TVs, streaming containers, and different linked units that lack safety protections, similar to Google Play Shield.
These units turn into contaminated both by risk actors buying low-cost AOSP units, modifying the working system to incorporate the BadBox 2 malware, after which reselling them on-line, or by tricking customers into downloading and putting in malicious apps on their units that comprise the malware.
The malware then turns into a backdoor that connects to command-and-control (C2) servers operated by the attackers, the place it receives instructions to execute on the gadget.
As soon as compromised, units turn into a part of the BadBox 2.0 botnet, the place they’re was residential proxies offered to different cybercriminals with out the victims’ data or are used to conduct advert fraud.
Google’s lawsuit primarily focuses on the advert fraud element, which the botnet generally conducts in opposition to the corporate’s promoting platforms.
This advert fraud is completed in 3 ways:
- Hidden advert rendering: Faux “evil twin” apps are silently put in on contaminated units to load hidden adverts within the background on attacker-controlled web sites with Google adverts, producing fraudulent advert income for the operation.
- Internet-based recreation websites: Bots are instructed to launch invisible net browsers and play rigged video games that quickly set off Google advert views. Every advert view leads to income for the attacker-controlled writer accounts.
- Search advert click on fraud: Bots are instructed to carry out search queries on attacker-operated web sites that make the most of AdSense for Search, producing promoting income from ads proven within the retrieved search outcomes.
In December 2024, the unique BadBox botnet was disrupted by Germany after the nation blocked communication between the contaminated units and their command and management (C2) infrastructure by sinkholing DNS queries.
Nonetheless, that didn’t cease the legal enterprise, because the risk actors rapidly launched BadBox 2.0, which is now believed to have contaminated over 10 million Android-based units as of April 2025. Google’s criticism says that there are greater than 170,000 contaminated units in New York state alone.
Google’s criticism states that it has already terminated 1000’s of writer accounts linked to the operation, however warns that the botnet continues to develop and poses an growing cybersecurity danger.
“If the BadBox 2.0 Scheme will not be disrupted, it should proceed to proliferate,” warns Google.
“The BadBox 2.0 Enterprise will proceed to generate income, will use these proceeds to develop its attain, producing new units and new malware to gasoline its legal exercise, and Google can be pressured to proceed expending substantial monetary sources to research and fight the Enterprise’s fraudulent exercise.”
As a result of the defendants are unknown and believed to reside in China, Google is pursuing reduction beneath the Laptop Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations (RICO) Act.
The corporate seeks damages and a everlasting injunction to dismantle the malware infrastructure and stop the additional unfold of the malware.
Included within the criticism is a listing of over 100 web domains which might be a part of the cybercrime operation’s infrastructure.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
