Google Sues 25 Chinese Entities Over BADBOX 2.0 Botnet Attack

Edward Zhou
Edward Zhou

CEO & Founder

 
July 19, 2025 2 min read

Legal Action Against BadBox 2.0 Botnet

Google has initiated legal action in New York federal court against 25 unnamed individuals or entities in China for their alleged involvement with the BadBox 2.0 botnet, which has compromised over 10 million devices running Android's open-source software. The botnet operates by exploiting devices that lack Google’s security protections, resulting in large-scale ad fraud and other cybercrimes. This includes the use of pre-installed malware that enables cybercriminals to conduct illicit activities.

Google lawsuit targets operators of ‘BADBOX 2.0’
Image courtesy of ThreatLocker

Google's Ad Traffic Quality team swiftly updated Google Play Protect to block apps associated with BadBox. Additionally, the FBI has issued an alert regarding these cyber threats, emphasizing the need for enhanced consumer protection measures. HUMAN Security partnered with Google to unveil the scale of this operation.

Scope and Impact of the Botnet

BadBox 2.0 is described as the largest known botnet targeting connected consumer devices, including smart TVs, projectors, and other IoT devices. These devices are often shipped without adequate security measures, making them susceptible to malware. Google aims to disrupt the botnet's infrastructure through its lawsuit, seeking to sinkhole domains used for control and mitigate further abuse.

The botnet has reportedly generated millions in illegitimate ad revenue and utilized compromised devices to harvest sensitive user data. The FBI has warned that many of the affected products are either preloaded with malicious software or infected shortly after being set up, allowing for unauthorized access and exploitation.

Criminal Structure Behind BadBox

The legal filings detail a sophisticated criminal structure overseeing the BadBox operation, consisting of distinct groups responsible for various aspects, such as command servers and malware distribution. The operation exploits vulnerabilities in the supply chain, allowing malware to be installed prior to consumer purchase.

Google's lawsuit alleges that these actors profit from ad fraud by deploying "evil twin" versions of legitimate applications, creating fraudulent ad impressions, and leveraging infected devices for click fraud. This structured approach significantly amplifies the botnet's reach and impact.

Protecting Against Cyber Threats

In response to the growing threat posed by BadBox 2.0, organizations need to implement robust security measures. Solutions like Gopher Security's AI-Powered Zero Trust Platform offer comprehensive protection across devices, apps, and environments. This includes advanced capabilities such as micro-segmentation for secure environments and granular access control.

Security experts recommend that businesses deploy network defenses, such as firewalls, to protect against compromised devices. Regular security audits and updates are essential to mitigate risks. Gopher Security specializes in cutting-edge cybersecurity architectures, ensuring that organizations can effectively manage and respond to evolving threats.

For more information on how to enhance your security posture against sophisticated cyber threats, visit Gopher Security and explore our range of AI-driven security solutions.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article