The FBI has issued a critical warning regarding a massive malware campaign—dubbed BADBOX 2.0—which has compromised over 1 million Internet-connected consumer devices, including smart TVs, Android tablets, projectors, and streaming boxes. The malware, often embedded in Chinese-manufactured IoT devices, turns them into residential proxies exploited by cybercriminals to mask their activities.
"The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," the FBI stated.
The infection typically occurs when users purchase devices preloaded with malicious firmware or unknowingly install compromised apps from third-party stores or, occasionally, even Google Play. During initial setup, these apps introduce backdoors, linking the devices to command and control (C2) servers, where attackers remotely execute various malicious operations.
These include:
- Residential Proxy Networks: Using victims' home IP addresses to route traffic and hide malicious activity.
- Ad Fraud: Background ad-clicking to generate illegitimate revenue.
- Credential Stuffing: Attempting unauthorized logins using stolen credentials, hidden behind compromised IPs.
"Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," the FBI added.
The original BADBOX malware was discovered in 2023 on low-cost Android TV boxes such as the T95. Though a 2024 takedown effort by Germany’s cybersecurity agency temporarily crippled the botnet by disrupting its infrastructure, attackers quickly rebounded. Within a week, nearly 192,000 new infections were recorded—including among more reputable devices like Yandex TVs and Hisense smartphones.
According to HUMAN's Satori Threat Intelligence, over 1 million devices were compromised by March 2025. The malware predominantly affects Android Open Source Project (AOSP) devices—not those certified by Google Play Protect or running official Android TV OS. Researchers observed BADBOX 2.0 activity in 222 countries and territories, with the highest infection rates reported in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
"This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, 'off brand', uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.
Despite another coordinated disruption effort by HUMAN, Google, Trend Micro, and other partners—successfully preventing 500,000 infected devices from reaching command servers—the malware campaign persists, fueled by ongoing global sales of vulnerable devices.
Red flags indicating BADBOX 2.0 infection include:
- Suspicious or third-party app stores preloaded on the device
- Disabled Google Play Protect
- Claims of free or unlocked streaming access
- Unbranded or unknown device manufacturers
- Unusual Internet traffic patterns
The FBI advises consumers to take the following precautions:
- Audit all connected smart devices for abnormal behavior
- Avoid downloading apps from unofficial sources
- Monitor home network traffic regularly
- Ensure devices are updated with the latest firmware
- Immediately disconnect any suspected devices from the Internet
If compromised, isolating the affected device from the network can help prevent further damage and disrupt the malware’s control path.