Good catch, CISOs and cybersecurity professionals: Google, along with partners HUMAN Security and Trend Micro, has filed a lawsuit in New York federal court to take down BADBOX 2.0, a global botnet infecting over 10 million uncertified Android-based IoT devices ranging from set-top boxes to digital picture frames. This breaking-development is critical now, as the FBI has issued a public service announcement warning about the botnet’s role in massive ad fraud, proxy abuse, and more.
On 17 July 2025, Google announced it had initiated civil proceedings in the Southern District of New York, suing unnamed individuals responsible for creating and maintaining BADBOX 2.0. The lawsuit seeks injunctions and damages under US computer crime statutes.
Botnet Scale & Infection Methods
The botnet has compromised more than 10 million IoT devices, many built on the Android Open Source Project (AOSP) and lacking Google Play Protect security. Infection methods include:
- Pre-installed malware on uncertified cheap devices
- Drive-by or third-party app download attacks during device setup.
Technical Overview (MITRE ATT&CK)
Initial Access » – Exploitation of pre-installed/drive-by malware
Execution » – System binary misuse for ad-fraud payloads
Persistence » – Installation of backdoor service
Command & Con » – Proxy traffic to C2 infrastructures
Impact » – Ad fraud, proxy misuse, data theftFBI Alert: What You Should Know
On 5 June 2025, the FBI issued PSA I‑060525, cautioning the public about BADBOX 2.0’s ability to co-opt home IoT devices for proxy services, ad fraud, data exfiltration, password theft, account takeover, and DDoS facilitation (Internet Crime Complaint Center). The alert urged users to:
- Remove suspicious devices
- Avoid third-party app sources
- Enable Play Protect
- Monitor home network traffic
Global and MEA Context
- MEA markets are at risk due to the popularity of affordable AOSP devices often without regular security vetting.
- Similar IoT botnets in Asia and Latin America (notably Brazil with >1/3 of affected devices) have triggered local CERT advisories (FOX 5 Atlanta, WIRED, PPC Land, HUMAN Security).
- The joint action show increasing global coordination in cybersecurity, notably between tech companies and law enforcement.
Expert and Official Statements
“While these actions kept our users and partners safe, this lawsuit enables us to further dismantle the criminal operation behind the botnet…” — Google legal filing quoted in PC Gamer (PC Gamer)
“We urge manufacturers, retailers, and consumers to follow the mitigation guidance in the FBI PSA…” — HUMAN Security’s Gavin Reid (HUMAN Security)
At‑Home Detection Indicators
The FBI listed key signs of a BADBOX infection (Internet Crime Complaint Center):
- Offers to disable Google Play Protect
- Requests for unofficial app store access
- Generic, unbranded Android IoT devices
- Unusual network traffic or slowdowns
Actionable Takeaways for Security Leaders
- Audit networked IoT devices, especially generic Android-based gadgets (smart TVs, digital frames, etc.).
- Enforce routers/firewalls to whitelist only known devices and monitor unusual outbound traffic.
- Activate Google Play Protect on any Android-based device; block uncertified units.
- Block unofficial app stores and prevent sideloaded app installs via policy.
- Educate users and staff on IoT risks—early-stage training essential.
- Engage in IoT pentesting across networked home-office devices (pentesting).
- Deploy network monitoring tools for anomaly detection (DNS, proxy, ad-request patterns).
- Stay current with news on IoT fraud and botnet developments.
- Advocate for vendor accountability and secure device boot firmware across MEA markets.
- Establish an IoT ownership framework to track device origin, certification, and patches.
Conclusion
Google’s lawsuit marks a pivotal move toward tackling IoT-based ad fraud and proxy botnets like BADBOX 2.0. With over 10 million devices compromised, including those in MEA countries, the incident is a wake-up call for stronger device certification, vigilant home-network security, and cross-sector cooperation. As law enforcement and tech firms continue their disruption, organizations must zero-in on IoT governance, proactive awareness initiatives, and comprehensive monitoring to prevent falling prey to the next generation of bot-driven threats.
Sources
- Google Blog: “We’re taking legal action against the BadBox 2.0 botnet” (17 Jul 2025) (blog.google, threatlocker.com, FOX 5 Atlanta, PPC Land)
- PC Gamer: “Google begins legal action…” (18 Jul 2025) (PC Gamer)
- FBI PSA I‑060525 (5 Jun 2025) (Internet Crime Complaint Center)
- ThreatLocker blog: Google lawsuit background (16 Jul 2025) (threatlocker.com)
- HUMAN Security blog: FBI & partners action (9 Jun 2025) (HUMAN Security)
- Fox5Atlanta: FBI warning summary (5 Jun 2025) (FOX 5 Atlanta)
- Wired: BadBox 2.0 backdoor in 1 M+ devices (5 Mar 2025) (WIRED)
- PPC.Land: $50B ad fraud via IoT botnet (18 Jul 2025) (PPC Land)
