The United States Federal Bureau of Investigation (FBI) has issued a warning saying that the Badbox 2.0 malware campaign has infected more than 1 million Android devices. First discovered in early 2023 on a T95 Android TV box available on Amazon, the malware comes pre-installed with several Chinese-made unbranded Android-powered smart TVs, streaming boxes, tablets and other IoT devices.
It was also noted that out of the 1.6 million devices the malware infected, several Android TVs were from known brands like Hisense and Yandex. According to cybersecurity firm Bitsight, the majority of devices infected by Badbox were from countries like India, Russia, China, Brazil, Ukraine and Belarus.
What is Badbox 2.o, and what does it do?
Believed to belong to the Triada family of malware, the main goal of the Badbox botnet is financial gain via ad fraud and stealing credentials. The malware not only generates revenue for threat actors by clicking on ads in the background, but also attempts to steal accounts using stolen credentials.
To mask its malicious activity, the Badbox botnet routes traffic through infected devices, making it harder to know where the data is being sent. The Federal Office of Information Security (BSI), Germany, said that the malware also targeted devices with old firmware, such as streaming devices, media players and digital picture frames.
If your device is overheating, having performance issues like high CPU usage or a change in device settings, chances are it could be hosting the Badbox malware. And while most infected devices are tampered with at the supply chain level, some get infected via the installation of untrusted third-party apps.
Badbox 2.0 evolved from the original Badbox network, and over the years, has continued to spread despite international agencies cracking down on the botnet’s network and operations. Signs of infection include the system automatically installing shady app marketplaces, disabling Google Play Protect, or streaming devices having unlimited free access to content.
Last year, the German authorities had disrupted the malware’s botnet network, but despite their attempts, a security researcher said in December that Badbox “still seems to be very much alive and spreading.” A week after the crackdown, experts claimed that Badbox was still infecting more than 1,92,000 devices.
Story continues below this ad
According to HUMAN’s Satori Threat Intelligence, the malware had managed to infect more than 1 million consumer devices by March 2025. Infecting more than 222 countries and territories worldwide, these infected devices are not running on Android TV OS but are based on the Android Open Source Project (AOSP), which is not certified by Google Play Protect. The FBI also said that these devices are manufactured in mainland China and shipped worldwide.
© IE Online Media Services Pvt Ltd
If you want to have contact with us ~ [email protected]
