A Google lawsuit filed in a New York court has been partly unsealed, revealing details of what is believed to be the largest botnet of its type in history. Consisting of 10 million compromised Android devices, mostly cheap Chinese set-top boxes popular with users of free and pirate streaming services, the Badbox 2.0 botnet turns user devices into nodes in a massive residential proxy network. Google says the botnet is used for ad fraud, malware distribution, and other digital crimes.
From: TF, for the latest news on copyright battles, piracy and more.
In 2023, Google and its cybersecurity partners teamed up with German law enforcement agencies after discovering BadBox, a botnet comprised of 74,000 Android devices infected with malware.
After deploying a range of measures to suppress BadBox, a much larger threat quickly arrived.
BadBox 2.0
BadBox 2.0 was discovered by HUMAN’s Satori Threat Intelligence and Research team. Their initial report published in March revealed how infected devices were able to request and click on ads without the user being aware, committing ad fraud and laundering.
As part of a botnet able to act as a residential proxy network, devices were also being used for account takeovers, DDoS attacks, and spreading malware. Since infected devices are also capable of executing new code delivered over the internet, without any user interaction, the potential for harm was unusually high.
One million infected devices…
At the time the impact of BadBox 2.0 was described as global, with more than one million devices infected in 222 countries and territories. To prevent the spread, users were advised to only download apps from official marketplaces such as Google Play while avoiding off-brand devices.
A list of device model numbers made available since reveals that cheap set-top boxes manufactured in China appear to account for the majority of infected devices. However, laptop and desktop computers, smartphones, tablets, in-car entertainment devices and digital projectors have all been compromised too.
In an announcement late last week, Google revealed that in partnership with HUMAN Security and Trend Micro, its researchers are now battling a botnet comprised of 10 million uncertified and infected devices, running Android’s open-source software (Android Open Source Project), “which lacks Google’s security protections.”
Lawsuit Filed in New York
Google’s actions include a lawsuit filed at a federal court in New York which began in May but with most documents sealed until recently. In addition to a temporary restraining order issued on May 30, on July 1 Google was awarded a preliminary injunction to mitigate the ongoing spread of malware, infection of new devices, and other “criminal schemes”.
The identities of the defendants – Does 1-25 – are reportedly unknown but with some confidence Google’s recently unsealed complaint places the blame firmly on bad actors in China who it believes would not comply with a judgment for money damages.
• The Infrastructure Group: Established and manages the “command-and-control” C2 infrastructure (C2 Servers and domains) for BadBox 2.0.
• The Backdoor Malware Group: Developed and preinstalls malware on the infected devices and uses that malware to operate a botnet composed of a subset of BadBox 2.0-infected devices to carry out a variety of ad fraud campaigns.
• The Evil Twin Group: Develops apps that the BadBox 2.0 Enterprise uses to commit ad fraud via hidden ads.
• The Ad Games Group: Connected to an ad fraud campaign conducted through BadBox 2.0-infected devices that uses fraudulent “games” to generate ads in hidden web browsers
Google Obtains Permission to Take Significant Action
Specific details are currently withheld, but it appears that Google has been granted broad permission based on claims under the Computer Fraud and Abuse Act (CFAA) and the Corrupt Organizations Act (RICO), to block (and require other entities to block) traffic to and/or from IP addresses and certain domains.
Other reasonable measures, including seizing control of domain names through registrars and registries, are also at Google’s disposal, to limit the botnet’s ability to operate.
Blocking Measures on Steroids
The FBI’s advice is for users to “avoid downloading apps from unofficial marketplaces advertising free streaming content” and “assess all IoT devices connected to home networks for suspicious activity.”
While avoiding unofficial marketplaces is straightforward, those looking for the latest movies and TV shows are unlikely to find suitable apps offering that content for free anywhere else. Monitoring home networks is likely to prove prohibitively difficult too.
There may be a very good argument for physically destroying these devices. The complaint states that the entire supply chain is compromised. “They are devices manufactured by the BadBox 2.0 Enterprise,” it reads.
But even if malware isn’t preinstalled, it can be installed remotely when devices are switched on by the user or when users download apps designed to look attractive but carry a similarly malicious payload.
The preliminary injunction obtained by Google is available here (pdf)
From: TF, for the latest news on copyright battles, piracy and more.
Wer einen Access-Point von HPE im Einsatz hat, sollte die neuesten Updates einspielen. Angreifer können sich Admin-Zugriff verschaffen. (Sicherheitslücke, WLAN) 
Intel hat das Repository für Clear Linux OS archiviert. Es wird keine Patches mehr für das Betriebssystem geben - ohne Vorwarnzeit. (
Die neue Kugelform-Fähigkeit in Destiny 2 sieht spektakulär aus - führt aber bei vielen Spielern zu Schwindel und Übelkeit. (
Mit Freeaims VR-Schuhen sollen Gamer in VR-Spielen natürlich laufen können. Eine Version korrigiert Seitenbewegungen automatisch. (
In Krisensituationen brechen Mobilfunk, Internet und Festnetz oft gleichzeitig zusammen. Dann braucht es Alternativen - unser Überblick mit Checkliste. Ein Ratgebertext von Fabian Deitelhoff (
In zwei Jahren ist Dell intern um 50 Prozent unbeliebter geworden. Das liegt auch an strikten Homeoffice-Regeln und Massenentlassungen. (
Wer einen Sharepoint-Server betreibt, sollte dringend handeln. Hacker hebeln derzeit aktiv einen Patch für eine kritische Sicherheitslücke aus. (
Netflix, Amazon und Disney sollen mehr in deutsche Produktionen investieren. Kulturstaatsminister Weimer will entsprechende Regelungen. (
Mit einem Preis von 22,22 Euro positioniert sich die Manba Slush Eismaschine als preiswerte Option im Vergleich zur beliebten Ninja Slushi. (
You must be logged in to post a comment.