Google has taken significant legal action against a sophisticated and widespread cybercrime operation, filing a lawsuit against 25 unnamed individuals, collectively known as “Does 1-25,” believed to be based in China. These cybercriminals are accused of operating BADBOX 2.0, one of the largest global botnets to date, with an alarming reach of over 10 million compromised internet-connected Android devices. This includes a wide array of products such as smart TVs, streamers, digital picture frames, aftermarket infotainment systems, projectors, and other inexpensive, off-brand Android devices primarily manufactured in mainland China and distributed worldwide.
The lawsuit, filed on July 11th, asserts that the cybercriminals are causing immediate and irreparable harm to Google.
Tarnishing its reputation when fraud occurs on its platforms and forcing the company to allocate substantial resources to detect, deter, and disrupt this rapidly growing botnet.
The insidious nature of BADBOX 2.0 lies in its method of infection and persistence. Many of the compromised devices come with the BADBOX malware pre-installed at the firmware level, making it exceptionally difficult for users to remove, even with factory resets. Additionally, users are often tricked into downloading malicious applications from unofficial marketplaces. These affected devices primarily run the Android Open Source Project (AOSP), which lacks Google’s inherent security protections like Google Play Protect, rendering them highly vulnerable. Once compromised, these devices become part of a vast network that cybercriminals sell access to, enabling other illicit activities such as ad fraud, residential proxy services, distributed denial-of-service (DDoS) attacks, ransomware, account takeover, and data exfiltration, all while masking the attackers’ true locations.
Google’s lawsuit is a critical step in a broader, collaborative effort to combat BADBOX 2.0.
Previously, organizations like Human Security, Google, Trend Micro, and Shadowserver collaborated to disrupt the network by identifying and shutting down its command-and-control servers and blocking malicious applications. Despite these efforts, approximately 5 million active and blocked compromised devices remain connected to the internet, still attempting to receive instructions from the hackers, though their traffic is now largely filtered by internet service providers through sinkholing techniques. This ongoing threat prompted the FBI to issue an alert in June, urging users to inspect their devices for indicators of compromise.
Google views this lawsuit as one of the most significant botnet disruptions in recent years, emphasizing its commitment to dismantling the criminal operation beyond technical fixes. While Google has updated Google Play Protect to automatically block BADBOX-associated apps on certified devices, the legal action aims to “further dismantle the criminal operation behind the botnet, cutting off their ability to commit more crime and fraud.” This proactive stance not only seeks to recover treble damages, costs, and attorney’s fees from the defendants but also to protect Google’s market share and the overall security of its platform and users.
According to John Lilliston, ThreatLocker Detect Product Director, Google’s legal pursuit is an “ethical pursuit that has widespread implications for their end users.” The lawsuit specifically alleges that the 25 unnamed defendants collaborated in a sophisticated criminal enterprise, with distinct and assigned responsibilities, operating both within the U.S. and overseas. Their coordinated efforts in establishing, growing, and managing the botnet, including pre-installing malware, tricking users, and leveraging hijacked devices for various cyberattacks, underscore the gravity of the threat and Google’s determination to bring these perpetrators to justice and enhance internet security for all.
Reference:
