Google Sues Operators Behind BadBox 2.0 Botnet Infecting 10 million Android Devices

• What happened: The BadBox 2.0 botnet operators are being sued by Google in a lawsuit.
• Infected devices: Millions of Android devices worldwide adhered to the botnet for programmatic ad fraud and click fraud.
• Side impact: Residential proxy services facilitated account takeover, fake account creation, DDoS, malware distribution, and OTP theft.

Google has taken significant legal steps against the masterminds of the BadBox 2.0 botnet, a sprawling malware network that infects approximately 10 million Android devices globally, according to a partly unsealed lawsuit filed in a New York court. 

The lawsuit, which began in May, aims to dismantle the botnet by blocking its command-and-control (C2) infrastructure and seizing control of malicious domain registrations. 

The Scale of the BadBox 2.0 BOTNET  

Discovered by HUMAN Security and Google researchers in March, the BadBox 2.0 botnet is a successor to the first iteration, BadBox. It infects a wide range of devices, including set-top boxes, smartphones, and even in-car entertainment systems, primarily sourced from unauthorized manufacturers. 

Infected Android Open Source Project devices included lower-priced, off-brand, and uncertified tablets, connected CTV boxes, digital projectors, and more. The complaint states that some of them are even manufactured by the BadBox 2.0 Enterprise.

The malware executes invisible ad clicks, enabling mass ad fraud and laundering, while also functioning as a residential proxy network for activities such as distributed denial-of-service (DDoS) attacks, account takeovers, and further malware dissemination.  

The botnet's ability to inject malicious code without user interaction exponentially increases its malicious potential, and the infection has spread to 222 countries.  

Other botnet families this month were observed disguising malicious traffic as VPN or gaming data to evade detection — a tactic used to bypass firewalls and blend in with normal traffic

Google's Legal Actions  

In response, Google sues botnet operators, aiming to hold unnamed individuals, referred to as Does 1-25, accountable for violating the Computer Fraud and Abuse Act (CFAA) and RICO laws. 

The move targets one of the largest botnets that infects uncertified Android devices running on the Android Open Source Project.  

Google’s partnership with HUMAN Security and Trend Micro has been pivotal in combating the operational reach of BadBox 2.0. A preliminary injunction was granted on July 1.  

Google, Human Security, Trend Micro, and the Shadowserver Foundation contributed to an FBI advisory asking to “evaluate IoT devices in their home for any indications of compromise and consider disconnecting suspicious devices from their networks.”