Google has filed a lawsuit in opposition to the nameless operators of the Android BadBox 2.0 malware botnet, accusing them of working a worldwide advert fraud scheme in opposition to the corporate’s promoting platforms.
The BadBox 2.0 malware botnet is a cybercrime operation that makes use of contaminated Android Open Supply Mission (AOSP) units, together with sensible TVs, streaming containers, and different related units that lack safety protections, similar to Google Play Shield.
These units grow to be contaminated both by risk actors buying low-cost AOSP units, modifying the working system to incorporate the BadBox 2 malware, after which reselling them on-line, or by tricking customers into downloading and putting in malicious apps on their units that include the malware.
The malware then turns into a backdoor that connects to command-and-control (C2) servers operated by the attackers, the place it receives instructions to execute on the gadget.
As soon as compromised, units grow to be a part of the BadBox 2.0 botnet, the place they’re was residential proxies offered to different cybercriminals with out the victims’ information or are used to conduct advert fraud.
Google’s lawsuit primarily focuses on the advert fraud part, which the botnet generally conducts in opposition to the corporate’s promoting platforms.
This advert fraud is completed in 3 ways:
- Hidden advert rendering: Pretend “evil twin” apps are silently put in on contaminated units to load hidden adverts within the background on attacker-controlled web sites with Google adverts, producing fraudulent advert income for the operation.
- Net-based recreation websites: Bots are instructed to launch invisible internet browsers and play rigged video games that quickly set off Google advert views. Every advert view ends in income for the attacker-controlled writer accounts.
- Search advert click on fraud: Bots are instructed to carry out search queries on attacker-operated web sites that make the most of AdSense for Search, producing promoting income from ads proven within the retrieved search outcomes.
In December 2024, the authentic BadBox botnet was disrupted by Germany after the nation blocked communication between the contaminated units and their command and management (C2) infrastructure by sinkholing DNS queries.
Nevertheless, that didn’t cease the legal enterprise, because the risk actors shortly launched BadBox 2.0, which is now believed to have contaminated over 10 million Android-based units as of April 2025. Google’s criticism says that there are greater than 170,000 contaminated units in New York state alone.
Google’s criticism states that it has already terminated 1000’s of writer accounts linked to the operation, however warns that the botnet continues to develop and poses an growing cybersecurity danger.
“If the BadBox 2.0 Scheme is just not disrupted, it should proceed to proliferate,” warns Google.
“The BadBox 2.0 Enterprise will proceed to generate income, will use these proceeds to increase its attain, producing new units and new malware to gasoline its legal exercise, and Google shall be compelled to proceed expending substantial monetary assets to analyze and fight the Enterprise’s fraudulent exercise.”
As a result of the defendants are unknown and believed to reside in China, Google is pursuing reduction underneath the Laptop Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations (RICO) Act.
The corporate seeks damages and a everlasting injunction to dismantle the malware infrastructure and forestall the additional unfold of the malware.
Included within the criticism is a listing of over 100 web domains which are a part of the cybercrime operation’s infrastructure.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent risk actors.
