The Federal Bureau of Investigation (FBI) on Thursday issued a fresh warning about BADBOX 2.0, a dangerous Android malware campaign that has quietly infected more than a million internet-connected devices in homes around the world. This malware is turning every day, lower-budget, and uncertified consumer electronics into tools for cybercriminals.
What Is BADBOX 2.0?
BADBOX 2.0 is the latest version of the original BADBOX malware that was discovered in 2023. It is primarily found on Chinese-manufactured Android-based devicesโincluding digital streaming boxes, unbranded smart TVs, aftermarket vehicle infotainment systems, digital picture frames, low-budget tablets and projectors, and other Internet of Things (IoT) gadgets.
Often, these devices come preloaded with malware, or they get infected shortly after app downloads containing hidden backdoors.
“The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity,”ย warns the FBI.
“Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process,” the FBI added.
“Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity.”
According to the FBI, once a device is infected, it links up with the attackerโs command-and-control (C2) servers, which then execute instructions for malicious tasks. For instance, the malware masks cyberattacks by routing hacker traffic through victimsโ home networks, clicks ads in the background to generate fake revenue, and uses stolen credentials (such as usernames and passwords) to break into accounts while hiding behind residential IPs.
How Did It Spread So Widely?
Initially found pre-installed in cheap, no-name Android TV boxes like the T95, BADBOX quickly spread across the globe. Although Germanyโs cybersecurity agency briefly disrupted the original version in 2024, a resurgence followed.
Just a week after the takedown, 192,000 new infections were detected by the researchersโ this time affecting not only obscure devices but also mainstream brands like Yandex TVs and Hisense smartphones.
In March 2025, security firm HUMANโs Satori Threat Intelligence reported that BADBOX 2.0 had infected more than a million devices across 222 countries. The hardest-hit regions include Brazil (37.6%), the U.S. (18.2%), Mexico (6.3%), and Argentina (5.3%).
“This scheme impactedย more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more,”ย explains HUMAN Security.
“The infected devices are Android Open Source Project devices, not Android TV OS devices orย Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic fromย 222 countries and territories worldwide.”
Indicators of a BADBOX-infected device include:
- Suspicious third-party app stores
- Disabled Google Play Protect
- Strange or excessive data traffic
- Devices from unknown brands promising free or premium content
FBI And Partners Step Inย
In response to BADBOX 2.0, a joint operation involving HUMAN, Google, Trend Micro, The Shadowserver Foundation, and others recently managed to block communication between over 500,000 compromised devices and the attackersโ servers. Despite efforts to disrupt it, the botnet grows as people unknowingly connect compromised products to their home networks.
Mitigation Measures
To minimize exposure to unauthorized residential proxy networks, the FBI urges consumers to take the following precautions:
- Check connected devices regularly for unusual behavior.
- Avoid installing apps from unofficial marketplaces advertising free streaming content.
- Monitor your home’s network traffic for irregularities or suspicious activity.
- Cut off internet access to any device you think might be infected.
- Ensure that your devices are updated regularly with official firmware and security patches.
