Google is filing a lawsuit against operators of the notorious Badbox 2.0 botnet, which contains over 10 million Android devices. The Android maker has already issued updates to Google Play Protect to keep new devices from being trapped in the botnet, but the lawsuit is aimed at dismantling the existing network.
In a copy of its complaint shared with SecurityWeek, Google claims that Badbox 2.0 is “already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more.” The botnet has mostly been used for fraud so far, but Google warns that more harmful uses like ransomware are DDoS attacks are also possible.
It can also be used to run proxy networks. These networks let hackers route their traffic via residential networks, throwing off investigators and making it appear as if someone else is behind their activity. Such botnets can also be repurposed to carry out large-scale DDoS attacks that can knock even the biggest servers down.
This isn’t the first time a big organisation has taken action against Badbox 2.0. Earlier in June 2025, the FBI issued a warning against the Badbox 2.0 malware campaign, which reportedly infected over a million internet-connected devices commonly found on home networks at the time.
The botnet generally consists of Chinese Android smart TVs, streaming boxes, tablets, and other Internet of Things (IoT) devices that sell at a fraction of the cost of comparable devices from big-name manufacturers and offer the same functionality. However, these devices either come preloaded with the Badbox 2.0 malware that registers them on the botnet once activated or get infected after the malware is pushed via firmware or software updates coming from both Google Play and third-party app stores. Google also mentions this in its complaint.
The original Badbox botnet was taken down by German police in 2023. Since then, this is the second global botnet built by threat actors. Google alleges the botnet is operated by multiple cybercrime groups from China, all with unique roles in its maintenance, varying from establishing new infrastructure, developing and pre-installing malware on devices, and carrying out the actual attacks.
A previous investigation into the network revealed four groups behind the botnet, including SalesTracker Group, MoYu Group, Lemon Group, and LongTV. The SalesTracker Group managed the botnet’s command-and-control infrastructure, overseeing the distribution of fraud modules. The MoYu Group was responsible for developing and deploying the backdoor that infected devices, managing a click fraud campaign, and planning a broader programmatic ad fraud operation.
In the News: Armenian ransomware operator extradited to the US
