Google Sues BadBox 2.0: Battling Multi-Million Dollar Ad Fraud Botnet on 10M+ Android Devices
Google has filed a lawsuit against the unidentified operators of the malicious botnet BadBox 2.0, accusing them of orchestrating a large-scale advertising fraud scheme that directly targeted the company’s own platforms. According to the complaint, the perpetrators disseminated malware via Android Open Source Project (AOSP)-based devices—including smart TVs, media boxes, and other connected electronics lacking the protective layer of Google Play Protect.
Infection occurred through two primary vectors. In the first, threat actors purchased low-cost AOSP devices in bulk, injected them with malicious firmware embedding the BadBox 2.0 code, and subsequently resold the compromised hardware. In the second, users were deceived into installing infected applications on their devices. Once installed, the malware functioned as a backdoor, receiving commands from attacker-controlled command-and-control (C2) servers.
The compromised devices were conscripted into the BadBox 2.0 botnet, which was weaponized in two main capacities: either as “residential proxies” for other criminal actors—without the device owners’ knowledge—or as engines for advertising fraud. The latter scenario is at the core of Google’s legal action.
According to the company, the botnet employs three primary tactics for ad fraud. First, hidden ad rendering: clones of popular apps are silently installed on infected devices, which then load invisible ads on attacker-operated websites, generating revenue from impressions. Second, background browser exploitation: fake “games” containing embedded ads are launched in the background, resulting in massive, automated ad views that profit criminal ad accounts. Third, fake search query generation on AdSense for Search-enabled sites, where the ads displayed within results offer yet another revenue stream.
The original BadBox botnet was partially dismantled in December 2024 following intervention by German authorities, who succeeded in severing communications between infected devices and their C2 infrastructure via DNS sinkholing. However, the scheme was resurrected under the moniker BadBox 2.0. By April 2025, Google estimated over 10 million devices had been infected, including more than 170,000 units in New York State alone.
Google reports having already disabled thousands of advertising accounts linked to the botnet, yet the operation continues to grow. The company warns of the botnet’s potential for rapid expansion, noting that profits from ad fraud are likely being reinvested into acquiring new devices, developing advanced malware, and scaling operations. The investigation, Google states, has also incurred substantial financial costs.
Because the identities of the attackers remain unknown—though believed to be operating from China—Google has filed the lawsuit under the Computer Fraud and Abuse Act (CFAA) and the Racketeer Influenced and Corrupt Organizations Act (RICO). The suit seeks damages and a permanent injunction to dismantle the botnet and prevent its further proliferation.
An annex to the complaint includes a list of more than 100 internet domains involved in the criminal infrastructure of BadBox 2.0.
