{"id":84206,"date":"2025-07-21T09:00:44","date_gmt":"2025-07-21T09:00:44","guid":{"rendered":"https:\/\/www.cryptocabaret.com\/?p=84206"},"modified":"2025-07-21T09:00:44","modified_gmt":"2025-07-21T09:00:44","slug":"google-sues-operators-of-a-10-million-device-android-set-top-box-botnet","status":"publish","type":"post","link":"https:\/\/www.cryptocabaret.com\/?p=84206","title":{"rendered":"Google Sues Operators of a 10 Million Device Android Set-Top Box Botnet"},"content":{"rendered":"

\"android-malware\"In 2023, Google and its cybersecurity partners teamed up with German law enforcement agencies after discovering BadBox<\/a>, a botnet comprised of 74,000 Android devices infected with malware. <\/p>\n

After deploying a range of measures to suppress BadBox, a much larger threat quickly arrived.<\/p>\n

BadBox 2.0<\/h2>\n

BadBox 2.0 was discovered by HUMAN\u2019s Satori Threat Intelligence and Research team. Their initial report<\/a> published in March revealed how infected devices were able to request and click on ads without the user being aware, committing ad fraud and laundering. <\/p>\n

As part of a botnet able to act as a residential proxy network, devices were also being used for account takeovers, DDoS attacks, and spreading malware. Since infected devices are also capable of executing new code delivered over the internet, without any user interaction, the potential for harm was unusually high. <\/p>\n<\/p>\n

One million infected devices\u2026<\/em>\"human-badbox2\"<\/center><\/p>\n

At the time the impact of BadBox 2.0 was described as global, with more than one million devices infected in 222 countries and territories. To prevent the spread, users were advised to only download apps from official marketplaces such as Google Play while avoiding off-brand devices. <\/p>\n

A list of device model numbers made available since reveals that cheap set-top boxes manufactured in China appear to account for the majority of infected devices. However, laptop and desktop computers, smartphones, tablets, in-car entertainment devices and digital projectors have all been compromised too.<\/p>\n<\/p>\n

\"badboxes\"<\/center><\/p>\n

In an announcement<\/a> late last week, Google revealed that in partnership with HUMAN Security and Trend Micro, its researchers are now battling a botnet comprised of 10 million uncertified and infected devices, running Android\u2019s open-source software (Android Open Source Project), \u201cwhich lacks Google\u2019s security protections.\u201d<\/p>\n

Lawsuit Filed in New York<\/h2>\n

Google\u2019s actions include a lawsuit filed at a federal court in New York which began in May but with most documents sealed until recently. In addition to a temporary restraining order issued on May 30, on July 1 Google was awarded a preliminary injunction to mitigate the ongoing spread of malware, infection of new devices, and other \u201ccriminal schemes\u201d.<\/p>\n

The identities of the defendants \u2013 Does 1-25 \u2013 are reportedly unknown but with some confidence Google\u2019s recently unsealed complaint places the blame firmly on bad actors in China who it believes would not comply with a judgment for money damages.<\/p>\n

\u2022 The Infrastructure Group:<\/strong> Established and manages the \u201ccommand-and-control\u201d C2 infrastructure (C2 Servers and domains) for BadBox 2.0. <\/em>
\n\u2022 The Backdoor Malware Group:<\/strong> Developed and preinstalls malware on the infected devices and uses that malware to operate a botnet composed of a subset of BadBox 2.0-infected devices to carry out a variety of ad fraud campaigns.<\/em>
\n\u2022 The Evil Twin Group<\/strong>: Develops apps that the BadBox 2.0 Enterprise uses to commit ad fraud via hidden ads.<\/em>
\n\u2022 The Ad Games Group:<\/strong> Connected to an ad fraud campaign conducted through BadBox 2.0-infected devices that uses fraudulent \u201cgames\u201d to generate ads in hidden web browsers<\/em><\/p>\n

Google Obtains Permission to Take Significant Action<\/h2>\n

Specific details are currently withheld, but it appears that Google has been granted broad permission based on claims under the Computer Fraud and Abuse Act (CFAA) and the Corrupt Organizations Act (RICO), to block (and require other entities to block) traffic to and\/or from IP addresses and certain domains. <\/p>\n

Other reasonable measures, including seizing control of domain names through registrars and registries, are also at Google\u2019s disposal, to limit the botnet\u2019s ability to operate.<\/p>\n<\/p>\n

Blocking Measures on Steroids<\/em>\"blocking<\/center><\/p>\n

The FBI\u2019s advice<\/a> is for users to \u201cavoid downloading apps from unofficial marketplaces advertising free streaming content\u201d and \u201cassess all IoT devices connected to home networks for suspicious activity.\u201d<\/p>\n

While avoiding unofficial marketplaces is straightforward, those looking for the latest movies and TV shows are unlikely to find suitable apps offering that content for free anywhere else. Monitoring home networks is likely to prove prohibitively difficult too.<\/p>\n

There may be a very good argument for physically destroying these devices. The complaint states that the entire supply chain is compromised. \u201cThey are devices manufactured<\/em> by the BadBox 2.0 Enterprise,\u201d it reads. <\/p>\n

But even if malware isn\u2019t preinstalled, it can be installed remotely when devices are switched on by the user or when users download apps designed to look attractive but carry a similarly malicious payload.<\/p>\n

The preliminary injunction obtained by Google is available here<\/a> (pdf)<\/em><\/p>\n

From: TF<\/a>, for the latest news on copyright battles, piracy and more.<\/p>\n

Powered by WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"

In 2023, Google and its cybersecurity partners teamed up with German law enforcement agencies after discovering BadBox, a botnet comprised of 74,000 Android devices infected with malware. After deploying a range of measures to suppress BadBox, a much larger threat quickly arrived. BadBox 2.0 BadBox 2.0 was discovered by HUMAN\u2019s Satori Threat Intelligence and Research […]<\/p>\n","protected":false},"author":2,"featured_media":84207,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[308],"tags":[],"class_list":["post-84206","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-torrent"],"_links":{"self":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts\/84206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=84206"}],"version-history":[{"count":0,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/posts\/84206\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=\/wp\/v2\/media\/84207"}],"wp:attachment":[{"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=84206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=84206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cryptocabaret.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=84206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}