Google has taken an unorthodox but forceful step to combat the proliferation of malware-laden Android streaming boxes: it’s launching a RICO lawsuit against the infrastructure behind a massive botnet scheme. These cheap Android-based TV set-top boxes—often marketed with promises like “stream everything for free”—have been quietly harboring the newly updated BadBox 2.0 malware, turning millions of devices into tools for widespread cybercrime. With over 10 million compromised units in circulation, Google is now looking to the courts to dismantle the digital network empowering this malicious activity.
As reported by BleepingComputer, BadBox 2.0 powers a variety of cyber threats, but the most notable among them is a lucrative ad fraud operation that’s siphoning money from Google and other advertising networks. The infected devices are also being used to carry out distributed denial-of-service (DDoS) attacks, host anonymous proxy services, and facilitate the spread of ransomware. According to Google, criminals are selling access to these proxy connections at premium prices—reaching as high as $1,390 for half a terabyte of data.
Because many of these devices operate independently of Google’s ecosystem—lacking the Play Store and its built-in security checks—they offer a fertile ground for exploitation. These aren’t certified Android TV or Google TV devices; they are off-brand units often sold through unofficial channels with pre-installed software that can’t be vetted or secured by Google. Once compromised, they become part of a botnet infrastructure that resembles the kinds of malware campaigns that once dominated the Windows ecosystem in the early 2000s.
In response, Google has filed a RICO lawsuit against entities believed to be responsible for maintaining and operating the supporting infrastructure of the botnet. The company is requesting that the U.S. District Court shut down more than 100 domains linked to the operation. The case calls upon well-known service providers—including Amazon Web Services, Alibaba Cloud, GoDaddy, and Cloudflare—to help enforce domain shutdowns and stop the propagation of the malware.
This legal escalation marks a shift in Google’s strategy. The company has long fought botnets using internal tools such as ad fraud monitoring and platform-level protections, but the size and persistence of BadBox 2.0 have made legal action a necessity. Google’s lawsuit seeks not only to dismantle the current network but also to secure permanent injunctions preventing malicious actors from simply registering new domains and starting the cycle anew.
In addition to the shutdown of malware-hosting domains, Google is also asking for appropriate financial compensation, including statutory damages and attorney’s fees. The outcome of the case could have far-reaching implications—not just for how tech companies combat botnets, but also for how the courts handle gray-market hardware that operates outside of official security ecosystems.