Google Targets Malware Affecting 10M Android Devices and Botnets

Edward Zhou
Edward Zhou

CEO & Founder

 
July 19, 2025 3 min read

BadBox 2.0 Malware Threat

TV box with remote
Malware identified as "BadBox 2.0" has affected over 10 million Android devices, including various no-name TV streaming devices, tablets, and projectors. Google has initiated a lawsuit in New York to dismantle what it describes as a "criminal enterprise" operating as a botnet. The botnet, referred to as the "largest known botnet of internet-connected TV devices," poses a risk of being utilized for serious cybercrimes, including ransomware and DDoS attacks.

The malware proliferates through low-cost Android devices manufactured in China. It can be preinstalled or downloaded as Trojanized applications from unofficial app stores during setup. Hackers exploit these devices to sell access to cybercriminals, allowing them to conduct hacking activities in the U.S. and beyond. Google has identified several affected models, including Android TV boxes like X88 Pro 10, T95, MXQ Pro, and QPLOVE Q9. For a more comprehensive list, refer to Human Security.

Google's lawsuit claims the hackers, based in China, include at least 25 individuals or entities. The company is asking the court for a permanent injunction to cease operations related to the BadBox malware, which also generates fraudulent clicks for mobile ads. The legal action aims to disrupt the botnet by targeting the command-and-control servers that manage the malware's operations.

Legal Action Against Cybercriminals

Google's legal strategy involves pursuing a RICO case against the operators of the BadBox 2.0 botnet. The company seeks to shut down over 100 domains linked to the malware, which are hosted by major web service providers such as GoDaddy, Cloudflare, and Amazon. This legal route is considered necessary because traditional methods of using monitoring and ad account shutdowns have proven insufficient.

The lawsuit highlights the infrastructure behind the botnet, which includes various groups responsible for different criminal activities. The Infrastructure Group manages the command-and-control setup, while the Backdoor Malware Group develops the malware itself. Additionally, the Evil Twin Group creates fraudulent apps to generate ad revenue, and the Ad Games Group uses fake games for similar purposes.

Google's actions are prompted by the FBI's warning about BadBox 2.0 and its potential for large-scale ad fraud. The botnet has been described as a significant threat, particularly in regions like Brazil, the U.S., Mexico, and Argentina. For an overview of the botnet's impact, see The Hacker News.

Anatsa Malware in Google Play Store

Malware on phone
A different malware strain, named "Anatsa," infiltrated the Google Play Store by masquerading as a legitimate document viewer app. This Trojan, which garnered over 50,000 downloads before its removal, is designed to access banking applications covertly. ThreatFabric reported that the app initially appeared legitimate but was modified to deliver malicious updates that hijack access to U.S. mobile banking apps.

Anatsa can perform various malicious actions, including credential theft and keylogging, while displaying fake notifications to mislead users. This incident raises concerns about the effectiveness of Google Play Protect in safeguarding against apps that transition from legitimate to malicious post-download.

Google's security measures have been called into question, especially regarding the app's quick transformation into a threat approximately six weeks after its launch. This underscores the need for robust security practices to combat mobile malware threats effectively.

Importance of Advanced Security Solutions

The rising prevalence of malware like BadBox 2.0 and Anatsa highlights the critical need for advanced security solutions. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, which integrates networking and security across various environments—from endpoints and private networks to cloud, remote access, and containers.

Our offerings include:

  • AI-Powered Zero Trust Platform
  • Advanced AI Authentication Engine
  • Secure Access Service Edge (SASE)
  • Cloud Access Security Broker
  • Micro-Segmentation for Secure Environments

Explore how Gopher Security can enhance your organization's cybersecurity posture by visiting Gopher Security for more information or to contact us.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article