Google has filed charges in China against 25 unnamed individuals, accusing them of hacking into more than 10 million devices around the world, using them to build a botnet called BadBox 2.0, and then committing other cyber crimes and fraud.
"As of April 2025, BadBox 2.0 has infected more than 10 million AOSP-based TV streaming boxes, tablets, projectors, and aftermarket automotive infotainment systems," the lawsuit states. "In fact, BadBox 2.0 is the largest connected TV infection botnet discovered to date, extending beyond connected TVs to include tablets, digital projectors, and other devices," the lawsuit [ PDF ] states.
"This lawsuit allows us to further disrupt the criminal operations behind the botnet and cut off their ability to commit more crimes and fraud," a blog post said Thursday.
The search and advertising giant also has selfish motives, as it alleges in the filing that BadBox "interferes with Google's relationship with its users (and potential users), harms Google's reputation, undermines the value of Google's products and services, and forces Google to devote significant resources to investigating and combating the botnet's harmful activities."
Because the suspects are in China, which rarely allows extraditions to the United States, it is unlikely that any suspects will be held accountable through litigation.
Google previously worked with Trend Micro, Human Security and the Shadowserver Foundation to identify the C2 servers and domains controlling hijacked devices.
So, assuming the court sides with Google, this lawsuit will allow the tech giant to gobble up these C2 domains - further disrupting BadBox 2.0 operations.
BadBox first broke out in late 2022, when attackers used a backdoor to infect around 74,000 off-brand Android connected TV devices. Human Security's Satori researchers successfully disrupted BadBox's campaign by taking down its ad fraud infrastructure and C2 servers.
However, earlier this year, the Satori team sounded the alarm about BadBox 2.0. Human Security once again partnered with private companies and law enforcement to partially disrupt its infrastructure.
But even after its efforts to suppress BadBox 2.0, the FBI issued a public service announcement warning consumers that cybercriminals continue to exploit Android devices, meaning the botnet continues to expand.
The same goes for BadBox's residential proxy infrastructure, which allows attackers to mask malicious network traffic using real IP addresses assigned to residential users. Threat actors then use this access to launch distributed denial-of-service (DDoS) and other attacks from the compromised device, or sell access to the device's IP address to other bad actors. According to Human Security, users of infected boxes rarely realize that their connected TV has become part of a botnet.
The security store has previously documented account takeovers, fake account creation, credential theft, sensitive information leaks, and DDoS attacks carried out by downstream criminals who purchased residential proxy services from BadBox operators.
Additionally, as Human Security chief information security officer Gavin Reid said earlier: "We expect they will also launch Badbox 3."
The lawsuit details how BadBox - which Google calls "BadBox 2.0 Enterprise" - consists of several different teams responsible for designing and executing various parts of the operation for internet-connected devices, both before and after consumers receive the devices.
First, the Infrastructure Group develops and manages BadBox 2.0’s main C2 servers and domains. The lawsuit lists all known domain names used by the business.
There is also a "backdoor malware group" responsible for pre-installing backdoors in bots that operate parts of the botnet and sell access to proxy devices used for ad fraud and other money-making schemes.
The enterprise also has teams that maintain secondary infrastructure, scenario-specific malware, and scenario-specific applications and websites used on infected devices. This includes domains and C2 servers used to run malware packages and monetize advertising space.
“Organizations in this enterprise sector operate various malware packages to conduct fraud schemes, such as providing downstream proxy access to infected devices or conducting ad fraud,” the lawsuit states, naming two threat groups behind this secondary infrastructure.
There is also an "Evil Twin" group that specializes in developing apps for ad fraud campaigns, using "Evil Twin" apps (malicious copies of legitimate apps sold in the Google Play Store) to trick users into downloading malicious copies and generating ads. These apps also launch hidden web browsers that load hidden ads.
Additionally, the advergame group has been linked to a hidden web browser scheme implemented via infected devices that used deceptive "games" to generate ads.
According to the lawsuit, all of these different threat actor groups are connected through shared infrastructure and "historic and current business relationships." The lawsuit continues:
Businesses work together to implement BadBox 2.0 initiatives; no initiative can generate revenue without the participation and coordination of multiple members. Enterprises have built an ecosystem of centralized C2 servers, developed, exploited, and sold backdoors that accessed individual devices, connected those devices to centralized C2 servers, and used these backdoors to attack the digital advertising ecosystem from multiple angles.
When asked about the lawsuit, the CEO of Human Security praised Google's action: "This crackdown marks an important step in our ongoing fight against sophisticated fraud that hijacks devices, steals money, and exploits consumers without their knowledge. We are honored to be deeply involved in this operation and to work closely with Google, Trend Micro, and the Shadowserver Foundation. Their collaboration has been invaluable in helping us expose and neutralize this threat."