Google is suing 25 unnamed cybercriminals, believed to be based in China, for operating BADBOX 2.0, one of the largest global botnets with 10 million compromised devices.
BADBOX relies on internet-connected Android boxes, such as smart TVs, streamers, digital picture frames, aftermarket infotainment systems, projectors, tablets, and other cheap off-brand Android devices manufactured in mainland China and shipped globally.
To date, it has infected over 10 million uncertified devices. These devices all run Android’s open-source software (Android Open Source Project) but lack Google’s security protections.
On July 11th, Google filed a lawsuit against a group of unnamed individuals, collectively referred to as “Does 1-25.” The cybercriminals are causing Google immediate, irreparable harm.
The lawsuit alleges that the group of cybercriminals tarnishes Google’s reputation when fraud occurs on its platforms, causing the company to expend substantial resources to detect,
deter and disrupt BADBOX, which grows every day.
“Google has shown that Defendants – through their participation in, and operation of, the BadBox 2.0 Enterprise – have threatened the security of the internet, including Google platforms, by transmitting malware through the internet to configure, deploy, and operate a botnet,” the court document reads.
The threat actors sell access to the network of hijacked devices to other cybercriminals, who use them to hide their fraudulent and criminal activities on a large scale.
“Google is entitled to recover treble damages plus costs and attorney’s fees from the Defendants,” the complaint reads.
Google said in a blog post that it identified and quickly acted against the threat, and updated Google Play Protect, Android’s built-in protection against malware and unwanted software, to automatically block BadBox-associated apps.
However, BADBOX comes preinstalled on the devices at the firmware level and cannot be easily removed.
One of the most significant disruptions in recent years
Authorities and telecoms use sinkholing techniques to bar these devices from calling back home. A major collaboration between Human Security, Google, Trend Micro, and Shadowserver successfully disrupted the BADBOX 2.0 network by identifying and shutting down its command-and-control servers and blocking malicious applications.
Currently, around 5 million active and blocked compromised devices are connected to the internet, trying to get instructions from hackers, but unable to reach them because internet service providers filter this traffic, the Shadowserver Foundation’s data shows.
In June, the FBI issued an alert about BADBOX activities and urged users to check for indicators of compromise.
Google says its lawsuit is one of the most significant botnet disruptions in recent years.
“While these actions kept our users and partners safe, this lawsuit enables us to further dismantle the criminal operation behind the botnet, cutting off their ability to commit more crime and fraud,” Google explains.
According to John Lilliston, ThreatLocker Detect Product Director, Google is pursuing this to protect its market share of mobile devices.
“I view their legal action as an ethical pursuit that has widespread implications for their end users,” Lilliston said.
Google’s complaint alleges that defendants, believed to be based in China, have preinstalled malware on devices and tricked users into downloading malicious applications. They have hijacked devices without users’ knowledge, and their vast network of compromised devices participates in ransomware, distributed denial-of-service (DDoS), and other cyberattacks.
Who’s behind BADBOX 2.0?
Google's lawsuit alleges that all 25 defendants collaborated in a criminal enterprise to establish, grow, and manage the jointly developed botnet. The cohesive group has specific and assigned responsibilities, operates in the US and overseas, and targets and uses victim devices in the US.
To enrich themselves, members of the criminal ring all specialize and take part in different aspects of the scheme:
- Some develop the botnet infrastructure.
- Others sell proxy access to IP addresses to mask and facilitate nefarious internet activity.
- Some render hidden ads on pre-installed apps on infected devices.
- Others launch hidden web browsers that navigate to gaming sites replete with pop-up ads.
- Some steer infected devices to domains managed by the enterprise.
The 25 individuals share infrastructure and resources, indicating collaboration and overlap with other threat actors.
Google aims to further disrupt the BadBox 2.0 network in the US, as successfully prosecuting the unidentified individuals in China is unlikely.
Your email address will not be published. Required fields are markedmarked