Google is taking aim at one of the largest botnets ever discovered, suing a group of alleged cybercriminals based in China for infecting more than 10 million Android devices with preinstalled malware designed to commit “large-scale ad fraud and other digital crimes.”
The lawsuit, filed earlier this week in New York federal court and reviewed by ADWEEK, alleges the perpetrators operated a scheme dubbed BadBox 2.0, which hijacked Android-powered phones, TVs, and tablets by turning them into part of a coordinated botnet used to carry out and conceal a range of illicit activity.
The compromised devices weren’t Play-certified and initially bypassed Google’s standard security reviews. “Our Ad Traffic Quality team identified and quickly acted against this threat, and we updated Google Play Protect, Android’s built-in malware and unwanted software protection, to automatically block BadBox-associated apps,” Google said in its blog post.
Google’s legal action comes on the heels of a broader federal push to dismantle the operation. Last month, the FBI issued an alert about BadBox 2.0.Â
The malware quietly ran in the background, mimicking human behavior to fake ad views, simulate website visits, and trigger hidden web browsers to visit ad-heavy gaming sites or click on real ads—redirecting revenue to fraudulent publishers, according to the lawsuit.
The lawsuit also notes that the new version builds on an earlier BadBox campaign first identified in 2023. In that initial version, Google, cybersecurity researchers, and German law enforcement uncovered malware preloaded on more than 74,000 Android devices. The malware opened hidden “backdoors” that connected to a remote command-and-control server as soon as the device was turned on. German authorities later led a disruption operation to partially take the network offline.
The BadBox 2.0 campaign, according to the lawsuit, marks a significant expansion of the original operation—allegedly run by many of the same actors—who developed fraud schemes to target “every stage of the customer journey.”Â
Google’s move comes shortly after a separate fraud scheme, IconAds, was uncovered earlier this year. That operation, which involved the distribution of out-of-context mobile ads, prompted Google to remove 352 apps from its Play Store, as ADWEEK previously reported.