Author: Mike Miller | Published on: July 19, 2025

Google Moves to Halt Massive “BadBox 2.0” Malware Attack on Android Devices

A sophisticated malware operation, known as BadBox 2.0, has infiltrated over 10 million Android devices worldwide. These include inexpensive, no-name TV streaming devices, tablets, and digital projectors, mostly manufactured in China. Google has responded by filing a lawsuit in New York aimed at shutting down this cybercriminal network.

How BadBox 2.0 Infects Devices

Preinstalled Threat: Some devices arrive with BadBox 2.0 malware preinstalled before purchase.
Trojanized Apps: The malware can also infect new devices after users download seemingly harmless apps from unofficial app stores during setup.
Targeted Devices: Most affected are uncertified Android devices that do not include Google’s built-in security protections.

What the Malware Does

BadBox 2.0 is used to build a massive botnet, a network of infected devices controlled by cybercriminals. The malware runs in the background and is primarily used for ad fraud-creating fake ad views, secretly launching browsers, and clicking ads without the user knowing. These infected devices can also be used for more serious crimes, such as ransomware or coordinated online attacks. Hackers are known to sell access to the infected devices, making them valuable for launching further attacks in the U.S. and worldwide.

Google’s Legal and Technical Response

Lawsuit Details: Google’s suit names at least 25 unidentified individuals or organizations, allegedly based in China. The company is requesting an injunction to block internet domains tied to the botnet’s command-and-control servers.
Play Protect Updates: The company has boosted protection against BadBox-related apps, leveraging Google Play Protect to automatically shield users of certified devices from infection.
Ongoing Coordination: Google’s actions follow warnings from the FBI and continued coordination with law enforcement to disrupt the botnet’s operations.

Impacted Products and Models

A number of Android TV boxes have been identified as especially vulnerable, including: X88 Pro 10, T95, MXQ Pro and QPLOVE Q9. A more extensive list has been provided by security researchers.

What Lies Ahead

Google’s legal action aims to dismantle the infrastructure behind BadBox 2.0, limiting the criminals’ ability to conduct further attacks. The scale and adaptability of this malware campaign highlight the growing risks associated with uncertified Android devices and the importance of robust cybersecurity practices.