Ethical Hacking News
Google has taken down the BADBOX 2.0 botnet, which compromised over 10 million Android devices, in an effort to protect its users from various forms of cybercrime. The malicious network was first detected in late 2022 and has since been associated with ad fraud and other digital crimes.
Google has taken legal action against 25 unnamed individuals or entities in China for allegedly operating the BADBOX 2.0 botnet.The BADBOX 2.0 botnet compromised over 10 million uncertified Android devices running the open-source software (Android Open Source Project).The malicious network spread via IoT devices such as TV streaming devices and aftermarket vehicle infotainment systems, most of which are manufactured in China.Google updated its malware and unwanted software protection mechanism, Google Play Protect, to thwart BADBOX-related apps.The FBI issued a warning about the BADBOX 2.0 botnet, highlighting the risks of unauthorized access to home networks via malicious devices.The badbox enterprise comprises multiple groups responsible for different aspects of the criminal infrastructure, including backdoor malware and ad fraud campaigns.The attack highlights the ongoing struggle between security professionals and cybercriminals in the digital landscape.
Google has taken legal action against 25 unnamed individuals or entities in China for allegedly operating the BADBOX 2.0 botnet, a malicious network of infected devices that compromised over 10 million uncertified Android devices running the open-source software (Android Open Source Project), which lacks Google's security protections.
The BADBOX 2.0 botnet is known to spread via internet of things (IoT) devices such as TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products, most of which are manufactured in China. The malicious network was first detected in late 2022 and has since been associated with various forms of cybercrime, including large-scale ad fraud and other digital crimes.
According to Google, the company immediately took steps to update its malware and unwanted software protection mechanism built into Android, known as Google Play Protect, which automatically thwarts BADBOX-related apps. This move aims to prevent further exploitation of vulnerable devices by malicious actors.
The development comes a little over a month after the U.S. Federal Bureau of Investigation (FBI) issued a warning about the BADBOX 2.0 botnet. The FBI warned that cybercriminals gain unauthorized access to home networks by either configuring the product with malicious software prior to purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process.
In an analysis published earlier this March, HUMAN Security described the threat as the largest botnet of infected connected TV (CTV) devices ever uncovered to date. The vast majority of BADBOX infections have been reported in Brazil, the United States, Mexico , and Argentina.
While early iterations of the malware were propagated via supply chain compromises that backdoored the IoT devices with malware prior to purchase, the attack chains have since adapted to allow infections to spread via malicious apps downloaded from unofficial marketplaces.
The BADBOX enterprise comprises multiple groups, each of which are responsible for different aspects of the criminal infrastructure:
- The Infrastructure Group, which established and manages BADBOX 2.0's primary command-and-control (C2) infrastructure
- The Backdoor Malware Group, which develops and pre-installs backdoor malware in the bots
- The Evil Twin Group, which are behind an ad fraud campaign that creates "evil twin" versions of legitimate apps available on Google Play Store to serve ads and launch hidden web browsers that load hidden ads
- The Ad Games Group, which uses fraudulent "games" to generate ads
In a complaint filed on July 11, 2025, Google alleged that the BADBOX enterprise comprises these different groups, each playing a critical role in facilitating various forms of illicit activity by other threat actors.
This botnet attack highlights the ongoing struggle between security professionals and cybercriminals in the digital landscape. As more devices become connected to the internet, the potential for malicious attacks increases. Therefore, it is crucial that device manufacturers, security software providers, and users take proactive measures to secure their devices against such threats.
The case of the BADBOX 2.0 botnet serves as a reminder of the importance of robust cybersecurity measures and the need for collaboration between law enforcement agencies, security professionals, and technology companies to combat cybercrime.
Related Information:
https://www.ethicalhackingnews.com/articles/Google-Takes-Down-BADBOX-20-Botnet-Affecting-10-Million-Android-Devices-ehn.shtml
https://thehackernews.com/2025/07/google-sues-25-chinese-entities-over.html
Published: Fri Jul 18 06:30:47 2025 by llama3.2 3B Q4_K_M
