Google Targets Malware Affecting 10M Android Devices and Botnets

Edward Zhou
Edward Zhou

CEO & Co-Founder

 
July 19, 2025 3 min read

BadBox 2.0 Malware Threat

TV box with remote

Malware identified as "BadBox 2.0" has affected over 10 million Android devices, including various no-name TV streaming devices, tablets, and projectors. Google has initiated a lawsuit in New York to dismantle what it describes as a "criminal enterprise" operating as a botnet. The botnet, referred to as the "largest known botnet of internet-connected TV devices," poses a risk of being utilized for serious cybercrimes, including ransomware and DDoS attacks.

The malware proliferates through low-cost Android devices manufactured in China. It can be preinstalled or downloaded as Trojanized applications from unofficial app stores during setup. Hackers exploit these devices to sell access to cybercriminals, allowing them to conduct hacking activities in the U.S. and beyond. Google has identified several affected models, including Android TV boxes like X88 Pro 10, T95, MXQ Pro, and QPLOVE Q9. For a more comprehensive list, refer to Human Security.

Google's lawsuit claims the hackers, based in China, include at least 25 individuals or entities. The company is asking the court for a permanent injunction to cease operations related to the BadBox malware, which also generates fraudulent clicks for mobile ads. The legal action aims to disrupt the botnet by targeting the command-and-control servers that manage the malware's operations.

Legal Action Against Cybercriminals

Google's legal strategy involves pursuing a RICO case against the operators of the BadBox 2.0 botnet. The company seeks to shut down over 100 domains linked to the malware, which are hosted by major web service providers such as GoDaddy, Cloudflare, and Amazon. This legal route is considered necessary because traditional methods of using monitoring and ad account shutdowns have proven insufficient.

The lawsuit highlights the infrastructure behind the botnet, which includes various groups responsible for different criminal activities. The Infrastructure Group manages the command-and-control setup, while the Backdoor Malware Group develops the malware itself. Additionally, the Evil Twin Group creates fraudulent apps to generate ad revenue, and the Ad Games Group uses fake games for similar purposes.

Google's actions are prompted by the FBI's warning about BadBox 2.0 and its potential for large-scale ad fraud. The botnet has been described as a significant threat, particularly in regions like Brazil, the U.S., Mexico, and Argentina. For an overview of the botnet's impact, see The Hacker News.

Anatsa Malware in Google Play Store

Malware on phone

A different malware strain, named "Anatsa," infiltrated the Google Play Store by masquerading as a legitimate document viewer app. This Trojan, which garnered over 50,000 downloads before its removal, is designed to access banking applications covertly. ThreatFabric reported that the app initially appeared legitimate but was modified to deliver malicious updates that hijack access to U.S. mobile banking apps.

Anatsa can perform various malicious actions, including credential theft and keylogging, while displaying fake notifications to mislead users. This incident raises concerns about the effectiveness of Google Play Protect in safeguarding against apps that transition from legitimate to malicious post-download.

Google's security measures have been called into question, especially regarding the app's quick transformation into a threat approximately six weeks after its launch. This underscores the need for robust security practices to combat mobile malware threats effectively.

Importance of Advanced Security Solutions

The rising prevalence of malware like BadBox 2.0 and Anatsa highlights the critical need for advanced security solutions. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, which integrates networking and security across various environments—from endpoints and private networks to cloud, remote access, and containers.

Our offerings include:

  • AI-Powered Zero Trust Platform
  • Advanced AI Authentication Engine
  • Secure Access Service Edge (SASE)
  • Cloud Access Security Broker
  • Micro-Segmentation for Secure Environments

Explore how Gopher Security can enhance your organization's cybersecurity posture by visiting Gopher Security for more information or to contact us.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article