Filed July 11 in the Southern District of New York, a Google LLC lawsuit, Google LLC v. Does 1–25, targets a group of unnamed defendants allegedly behind “BADBOX 2.0,” a global botnet that the company says has infiltrated more than 10 million internet-connected devices.

In filings, Google said the case is one of the most significant botnet disruptions in recent years.

“I think Google is pursuing this as a means to protect their market share of mobile devices,” said ThreatLocker Detect Product Director John Lilliston. “I view their legal action as an ethical pursuit that has widespread implications for their end users.”

The civil complaint, filed under seal, accuses 25 unidentified individuals of operating a sprawling criminal enterprise that compromised consumer electronics to carry out large-scale ad fraud and proxy-based cybercrimes. Google cites alleged violations of the Computer Fraud and Abuse Act and the Racketeer Influenced and Corrupt Organizations Act.

FBI warns public about botnet

The threat is so widespread and problematic that on June 5, the FBI issued a public service announcement warning that a growing number of internet-connected consumer devices, such as smart TVs, streaming boxes, digital picture frames, and aftermarket infotainment systems, are being compromised by malware linked to the BADBOX 2.0 botnet.  

The advisory highlighted that many of these devices are either preloaded with malicious software during manufacturing or infected shortly after setup through unofficial app stores. Once compromised, the devices can be used as residential proxies for cybercriminal activity, including large-scale ad fraud and data exfiltration. The FBI urged consumers to disconnect suspicious devices, avoid installing apps from unverified sources, enable Google Play Protect, and regularly update device firmware to reduce exposure to this evolving threat.

How devices are affected

The compromised devices typically run on the Android Open Source Project (AOSP) without Google Play Protect, making them especially vulnerable to malware embedded at the firmware level or installed via deceptive app downloads. Many of the affected endpoints are designed for budget-conscious consumers, schools, or developing markets where device security and software vetting may be limited.

Google described the botnet infrastructure as a “metastasizing network” that continues to grow daily, with at least 170,000 infected devices in New York and 65,000 within the Southern District alone. The company said its internal investigation and work with cybersecurity nonprofit The Shadowserver Foundation led to the disruption of 149 malicious domains tied to the operation, revealing traffic from 6.7 million unique IP addresses.

• Cybercriminals use these devices to spoof user traffic and defraud ad platforms, likely generating millions in illegitimate ad revenue.

• Infected devices may be used to siphon user data from homes, businesses, and schools.

• The compromised devices serve as stepping stones to hide attackers’ real locations while they commit other crimes.

• Because the malware resides in firmware, it's difficult to remove—even full device resets often don’t help.

The scale and sophistication of the BADBOX 2.0 operation distinguishes it from prior botnet cases.

Protecting against infected devices

Businesses concerned about compromised devices on their networks should implement a firewall.

“For example, ThreatLocker Network Control is an endpoint firewall that protects your devices from unmanaged or potentially compromised devices on your network,” said Special Projects Engineer Kieran Human.

Google is seeking permanent injunctive relief and damages, along with court authorization to continue technical operations aimed at dismantling the network and preventing future harm.

The defendants, whose identities remain unknown, are believed to be based in China. Many of the domain names used to allegedly manage the botnet were registered with fake information, including aliases such as “super man” and “super cat.”

The case number is 1:25-cv-04503-JPO.

Learn why traditional firewalls fall short.

Show me why.

‍