Google is taking legal action against what it describes as one of the most expansive Android-based malware operations to date. The company filed a lawsuit in a New York court this week targeting the operators of “BadBox 2.0,” a botnet that has already compromised over 10 million devices globally, including low-cost Android TV boxes, tablets, and digital projectors.
The malware campaign, which Google links to China-based actors, has spread primarily through inexpensive, no-name Android devices. Some units arrive with the malware preinstalled, while others become infected during setup when users are prompted to download apps from unofficial app stores. Once installed, BadBox turns devices into part of a botnet, capable of being remotely controlled for various cybercrimes, from fraudulent ad-clicking to potentially more serious attacks like ransomware or distributed denial-of-service (DDoS) campaigns.
Google’s lawsuit names at least 25 individuals or entities involved in operating the botnet. While their exact identities remain unknown, the company is asking the court for broad authority to disrupt the operation. This includes requesting a permanent injunction to shut down domains associated with BadBox’s command-and-control infrastructure. Google says many of these domains are hosted by services such as Cloudflare, GoDaddy, and NameCheap.
“This botnet—called the ‘BadBox 2.0’ botnet—is already the largest known botnet of internet-connected TV devices,” Google said in its filing. “Without warning, it could be used to commit more dangerous cybercrimes.”
Security researchers first uncovered the malware in March 2025, and the FBI issued a public warning the following month. However, Google’s legal filing is the first to quantify the scope, estimating more than 10 million compromised devices.
The lawsuit lists affected devices by name, including Android TV models such as X88 Pro 10, T95, MXQ Pro, and QPLOVE Q9. These products typically run Android Open Source Project (AOSP) versions of the operating system—versions that lack Google’s official Play Protect security layer. This makes them easier targets for tampering and malware injection.
One aspect that makes BadBox 2.0 particularly dangerous is its flexibility. In addition to serving as a click-fraud engine, it can be leased out by its operators to other cybercriminals, effectively giving buyers access to millions of devices for launching broader attacks. This kind of rented access turns vulnerable hardware into digital beachheads for global cybercrime.
In its blog post, Google emphasized that the legal effort is intended to “cut off their ability to commit more crime and fraud.” The company warned that even if a device appears to be functioning normally, malware like BadBox can silently operate in the background.
Users concerned about their devices should check whether they own any of the listed models and consider disconnecting or replacing them. At this point, there is no simple fix. Since the malware can be embedded at a system level or disguised inside Trojan apps, removal often requires wiping the device or abandoning it altogether.
With this lawsuit, Google is looking to expand its ongoing campaign to dismantle malicious operations at the infrastructure level. The case also highlights the risks of using off-brand Android hardware, which often comes with fewer safeguards and limited support.
