Schneier on Security

Clive Robinson • July 23, 2025 10:37 AM

@ ALL,

The article is quite unclear on many things, but two stand out as being both relevant and important,

‘These devices lack Google’s security protections, and the perpetrators pre-installed the Badbox 2.0 malware on them’

The first bit of “lack Google…” that’s actually a consequence of the way Google makes money.

But “pre-installed…” That makes it sound like a “Supply Chain Attack” but no further details are given.

Which brings us onto the second major issue,

‘According to Google, Badbox 2.0 is operated by multiple cybercrime groups from China, each having a different role in maintaining the botnet, such as establishing infrastructure, developing and pre-installing the malware on devices, and conducting fraud.’

So what… None of these “observations” are things a judge can rule on, it needs specific charges or complaints, non of which are mentioned. So we have no way to tell if there is a snowball in hells chance of the action(s) proceeding let alone getting across the burden of proof required.

But further note,

“multiple cybercrime groups from China”

The article does not make clear where they are operating from or what legal treaties there is between the US and where ever that is, or if those being accused will appear or can be made it appear.

Now, there are few reasons to start a case in abstentia as all it normally gets is a load of legal bills and not much else.

However it’s possible to get a court to grant some forms of relief that can be used.

In the past Microsoft have used such actions to gain access to both servers / control heads as well as individual devices. Thus making action against these devices under what ever protection the court can grant. Upto and including full access to all involved devices to patch or brick etc without the owners to take action for the equivalent of “trespass” or worse.

But this really annoys me,

‘The internet giant cautions that, while it has been used mainly for fraud, the botnet could be used for more harmful types of cybercrime, such as ransomware or distributed denial-of-service (DDoS) attacks.’

Fraud comes in all manner of forms including “Identity theft”. As any individual who has suffered through the fallout of fraud ID Theft can tell you the effects for an individual are generally way way worse than the comparative annoyance of DDoS and Ransomware are to commercial entities that mostly shrug them off these days.

But… A real clue to the Google motives can be found in,

‘As part of their operation, the individuals behind Badbox 2.0 sold access to the infected devices to be used as residential proxies, and conducted ad fraud schemes by abusing these devices to create fake ad views or to exploit pay-per-click compensation models, the company continues.’

Note the “conducted ad fraud” that’s what,

“Real grips Googles 541t”

Because it’s stealing from Cesar… And that can not be allowed to happen to the company that facilitates much if not most of the Ad-Fraud on the Internet.