• Google has filed a federal lawsuit in New York to dismantle the ‘BadBox 2.0’ botnet, a vast network that infected over 10 million uncertified Android devices.
• The operation, conducted in collaboration with security firms HUMAN Security, Trend Micro, and the FBI, targets a sophisticated ad fraud scheme that generated fraudulent clicks and ad impressions.
• The botnet’s malware was primarily pre-installed on uncertified devices running open-source Android (AOSP) before they were sold, bypassing standard Google Play security checks.
• The fraudulent activity included the hidden loading of ads and simulating clicks on advertisements, with gambling sites being one of the verticals targeted by the scheme.
• Google has also updated its Play Protect service to automatically block apps associated with the botnet, supplementing its legal action with technical countermeasures.

Google has initiated legal proceedings to dismantle a massive botnet known as ‘BadBox 2.0’, which is believed to have compromised over 10 million devices worldwide. In a lawsuit filed in a New York federal court on 17th July, the technology giant is targeting the anonymous operators of the network, which has been engaged in a large-scale ad fraud scheme.

The action is part of a coordinated effort involving cybersecurity firms HUMAN Security and Trend Micro, as well as the US Federal Bureau of Investigation (FBI). The collaboration aims to disrupt the botnet’s infrastructure and create a significant legal deterrent against the cybercriminals, who are alleged to be based in China.

The Mechanics of the ‘BadBox 2.0’ Ad Fraud Scheme

The BadBox 2.0 botnet primarily infected uncertified devices running the Android Open Source Project (AOSP), a version of the operating system that does not come with Google’s proprietary apps and security services pre-installed. According to investigators, the malware was often deployed during the manufacturing stage of devices like smartphones, TVs, and set-top boxes, which were then sold through various online marketplaces.

Once active, the malware operated in the background, mimicking real user behaviour to commit ad fraud. Its functions included secretly downloading and displaying ads, launching websites for verticals such as gambling without the user’s knowledge, and simulating clicks on advertisements. This type of sophisticated fraud is particularly damaging to high-value advertising sectors like iGaming, as it siphons marketing budgets and severely distorts campaign performance data.

A Coordinated Technical and Legal Response

Google is tackling the threat with a two-pronged strategy. On the technical front, the company has updated Google Play Protect, its built-in malware defence system for Android, to automatically identify and block applications associated with the BadBox 2.0 network.

This is supported by the legal action, which aims to disable the botnet’s command-and-control infrastructure and prevent its operators from re-establishing their criminal enterprise. “While these measures have ensured the safety of users and partners, this lawsuit further weakens the criminal activity behind the botnet by preventing attackers from committing new crimes and fraud,” Google stated.

This approach is consistent with Google’s past actions, such as its 2021 lawsuit to take down the ‘Glupteba’ botnet. By leveraging the legal system, the company aims to create lasting disruption for cybercriminal organisations. The BadBox 2.0 network is an evolution of the original ‘BadBox’, which was dismantled by German law enforcement in 2024 but was subsequently rebuilt by its operators. Google’s current legal and technical offensive represents a more permanent effort to eradicate the threat.