Google Sued BadBox 2.0 Malware Botnet Operators That Infects 10 Million+ Devices

Google has filed a lawsuit in New York federal court against the operators of the BadBox 2.0 botnet, marking a significant escalation in the tech giant’s fight against cybercriminal networks.

The malware campaign represents the largest known botnet of internet-connected television devices, compromising over 10 million uncertified Android devices worldwide.

BadBox 2.0 emerged as a sophisticated threat targeting devices running Android’s open-source software without Google’s integrated security protections.

The malware operators exploited the vulnerability gap in uncertified devices, pre-installing malicious code that remained dormant until activation.

This strategic approach allowed cybercriminals to establish persistent access to millions of connected TVs and streaming devices across global networks.

The botnet’s primary attack vector involved manufacturing partnerships with device producers who unknowingly distributed compromised hardware.

Once deployed in consumer environments, the infected devices conducted large-scale ad fraud operations, generating illegitimate revenue streams while remaining largely undetected by users.

Google researchers identified the malware’s sophisticated evasion techniques, which included mimicking legitimate network traffic patterns and operating during low-usage periods.

Google analysts working alongside HUMAN Security and Trend Micro researchers noted the malware’s advanced persistence mechanisms during their investigation.

The collaborative effort revealed BadBox 2.0’s ability to maintain command-and-control communications through encrypted channels, making traditional network monitoring ineffective.

Infection Mechanism and Persistence Architecture

The malware’s infection mechanism relies on firmware-level integration during the manufacturing process.

BadBox 2.0 embeds itself within the Android Open Source Project framework, establishing deep system-level access that survives factory resets.

The malware creates hidden service processes that communicate with remote servers, enabling operators to push additional payloads and update attack strategies dynamically.

Google’s Ad Traffic Quality team has since updated Google Play Protect to automatically identify and block BadBox-associated applications, while the FBI continues coordinating with international law enforcement agencies.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now