Google wants to kill a massive Android TV botnet with lawyers

If you’ve ever wandered through some of the less-legitimate corners of the internet and/or the real world, you may have seen those “stream everything for free” Android TV set-top boxes for sale. As it turns out, they’re a real problem, with many of them hosting malware that turns them into a botnet that hosts proxies and advertising fraud tools. Google is taking an unusual tactic to shut them down: litigation.

BleepingComputer reports that the revived BadBox 2.0 malware is now running on over 10 million Android-based devices, mostly those sketchy streaming video boxes. The botnet is mainly used to create fake and spoofed advertising tools that are essentially stealing money from Google and other advertising firms (presumably sending it back to operators believed to be in China) in addition to more varied activities like DDoS attacks, proxies, and ransomware proliferation.

Google says those proxy connections are being sold to other criminals, for up to $1,390 USD for 500GB. Fake apps distributed to phones across the world, in third-party stores beyond the control of Apple and Google, are being used to reel in ad money.

Google

While Google can’t do much about hackers in China, it’s siccing lawyers on the companies who host the tools that make this botnet’s basic operations possible. They’ve presented a RICO case (Racketeer Influenced and Corrupt Organizations Act, a frequent tool used by US law enforcement to attack organized crime) that asks the US District Court to shut down more than 100 domains that are allegedly operating the malware and associated tools. If successful, Google and the court would be forcing some pretty big web service companies—including GoDaddy, CloudFlare, Amazon, and Alibaba—to shut down services to these sites.

I should point out that, even though these infected devices are running Android, they aren’t your typical Android TV/Google TV setups, and they don’t have Google Play Store or its associated safeguards in place. In fact, this botnet is conceptually no different from the big stuff that used to run almost exclusively across infected Windows machines in the 2000s and 2010s. It’s just that these Android-based boxes are cheap, popular, and easy to compromise thanks to Android’s easily modifiable nature.

It’s an unusual move, to be sure, but Google seems to have exhausted the options it has with its own tools, which include monitoring and shutting down ad accounts. It seeks to force registrars to cooperate with Google to identify and shut down the infected domains, with “permanent injunctions” to prevent the hackers from simply repeating the process with new domains. Oh, it would also like some money, in the form of “appropriate equitable relief under applicable statutes and law,” and the usual statutory damages and attorney’s fees.