FBI Warns: Android Smart Devices Infected By BADBOX 2.0 Malware

By /
android

The FBI has issued a warning about a dangerous new wave of Android malware known as BADBOX 2.0, which has already infected over 1 million consumer devices globally. These infected devices are being secretly turned into residential proxy bots, allowing cybercriminals to carry out malicious activities while hiding their real locations.

BADBOX 2.0

BADBOX 2.0 is the latest version of a malware campaign that targets Android-based smart devices—especially low-cost and uncertified smart TVs, streaming boxes, tablets, digital projectors, and other Internet of Things (IoT) gadgets. Most of these devices are manufactured in China and shipped worldwide.

This malware is designed to silently take over your device and connect it to a botnet—a large network of infected machines controlled remotely by hackers. Once your device is compromised, it may unknowingly be used for illegal activities.

According to the FBI, BADBOX 2.0 spreads in multiple ways:

  • Devices come preloaded with the malware even before you buy them.

  • During setup, devices may download fake updates or malicious apps from unofficial sources.

  • Users unknowingly install infected apps from third-party app stores or even occasionally from Google Play.

Once installed, the malware connects the device to command-and-control (C2) servers, which allow attackers to issue commands remotely.

The FBI highlights several malicious purposes of BADBOX 2.0:

  1. Residential Proxy Networks
    Hackers route their own traffic through victims’ home IP addresses. This helps them mask cybercrime activities behind innocent-looking network traffic.

  2. Ad Fraud
    The malware secretly loads and clicks on ads in the background, helping attackers earn money from fake ad views and clicks.

  3. Credential Stuffing
    Using the infected device’s IP, hackers try stolen usernames and passwords to break into online accounts without triggering security alerts.

The original BADBOX malware was discovered in 2023, found mostly in cheap Android TV boxes such as the T95. In 2024, German cybersecurity experts managed to disrupt the malware’s communication infrastructure temporarily, which reduced its spread.

However, the criminals quickly regrouped. Just a week after the disruption, the malware was spotted again on 192,000 new devices, including some mainstream brands like Hisense smartphones and Yandex smart TVs.

By March 2025, researchers from HUMAN’s Satori Threat Intelligence team estimated that the upgraded BADBOX 2.0 had infected over 1 million devices, giving rise to a more powerful and widespread botnet.

According to HUMAN’s global analysis, BADBOX 2.0 has been detected in 222 countries and territories. The highest infection rates are seen in:

  • Brazil – 37.6%

  • United States – 18.2%

  • Mexico – 6.3%

  • Argentina – 5.3%

This clearly shows that the malware is not limited to one region—it is a global cybersecurity threat.

cyber security

In a coordinated effort, Google, Trend Micro, The Shadowserver Foundation, and other partners joined HUMAN in disrupting BADBOX 2.0. They successfully blocked over 500,000 infected devices from communicating with hacker-controlled servers.

But the problem isn’t over. As long as consumers unknowingly buy and connect compromised devices to their home networks, the botnet continues to grow.

The malware has been found on many uncertified or generic Android devices. Some of the affected models include:

  • TV98, X96mini, X96Q_Max_P, MX10PRO, MBOX, Q96L2, TX3mini, KM6, SmartTV, and many others.

These devices often advertise features like “free streaming,” “unlocked content,” or “jailbroken systems”—which should be immediate red flags.

Watch out for these signs that your device may be infected:

  • Access to unofficial app stores or suspicious app marketplaces

  • Google Play Protect disabled by default

  • Devices marketed as offering free content or streaming hacks

  • Unknown or off-brand manufacturers

  • Unusual internet traffic from your home network

Most of these devices are not Play Protect certified and are based on the Android Open Source Project (AOSP) rather than Google-certified Android TV.

To reduce your risk of infection from BADBOX 2.0 or similar threats, the FBI recommends the following steps:

  1. Evaluate all IoT devices connected to your home network for signs of unusual behavior.

  2. Avoid downloading apps from unofficial or third-party sources.

  3. Monitor your home network traffic regularly to detect anything abnormal.

  4. Keep your devices updated with the latest firmware and security patches.

  5. Choose certified devices only, preferably from trusted brands and vendors.

The BADBOX 2.0 malware campaign is a reminder of the growing risks in today’s connected world. As more households adopt smart devices, ensuring the security of IoT devices is no longer optional—it’s essential.

Avoid “too good to be true” deals on unknown brands, and always verify the authenticity and security certification of smart gadgets. Because in today’s world, even your TV or projector could become a tool for cybercrime.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : CVE-2025-20286, Cisco ISE Cloud Vulnerability Affects AWS, Azure and OCI

1 thought on “FBI Warns: Android Smart Devices Infected By BADBOX 2.0 Malware”

  1. Pingback: CVE-2025-24016: Two Botnets Hijack Wazuh Servers in Latest Mirai Malware Wave

Comments are closed.

Scroll to Top