The FBI warns that the badbox 2.0 malware campaign infected over a million devices to the Internet, converting consumer electronics into residential proxies that are used for malicious activity.
The Badbox Botnet is commonly found on Chinese Android Small TV, streaming boxes, projectors, tablets and other Internet objects (IoT).
“The Botnet Badbox 2.0 consists of millions of infected devices and maintains many wanderings to the proxy services that cyber-criminals operate by selling or providing free access to domestic networks compromised to be used for various criminal activities”, ” warns the FBI.
These devices are preloaded with the Malware Badbox 2.0 Botnet or are infected after installing firmware updates and via malicious Android applications that sneak on Google Play and third -party application stores.
“Cyber-criminals have unauthorized access to domestic networks by configuring the product with malware before users buy or infect the device because it downloads the required applications that contain waste, generally during the configuration process,” explains the FBI.
“Once these IoT compromise devices are connected to domestic networks, infected devices are likely to be part of the Botnet Badbox 2.0 and residential proxy services 4 known to be used for malicious activity.”
Once infected, the devices connect to the attacker’s control and control servers (C2), where they receive commands to be executed on compromise devices, such as:
- Residential proxy networks: Malware transports traffic to other cybercriminals through IP addresses at home of the victims, masking malicious activity.
- Advertising fraud: Badbox can load and click on the announcements in the background, generating advertising revenues for threat actors.
- Identification farce: By taking advantage of the victims, the attackers try to access the accounts of other people using stolen identification information.
Badbox 2.0 evolved from the original badbox malware, which was identified for the first time in 2023 after being found preinstalled in cheap Android television boxes like the T95.
Over the years, the malicious Botnet has continued to develop until 2024, when the German cybersecurity agency disrupted the country’s botnet by saluting communication between infected devices and the infrastructure of the attacker, making effectively unnecessary malware.
However, this did not stop the threat stakeholders, the researchers saying that they found malware installed on 192,000 aircraft a week later. Even more worrying, malware has been found on more traditional brands, such as Yandex televisions and Hisense smartphones.
Unfortunately, despite the previous disruption, the botnet continued to grow, with Satori Threat Intelligence of the human indicating that more than a million consumption devices had been infected in March 2025.
This new larger botnet is now called Badbox 2.0 to indicate a new monitoring of the malware campaign.
“This scheme had an impact more than a million consumption devices. The devices connected to the Badbox 2.0 operation included lower prices, “out of brand”, not certified tablets, connected television boxes (CTV), digital projectors, etc., ” Explain human.
“Infected devices are Android open source project devices, not Android TV OS or Play Protect Certified Android devices. All these devices are made in continental China and shipped worldwide; Indeed, man observed the traffic associated with Badbox 2.0 222 countries and territories in the world. “”
Man researchers believe that the Botnet Badbox 2.0 extends over 222 countries, with the largest number of devices compromised in Brazil (37.6%), the United States (18.2%), Mexico (6.3%) and Argentina (5.3%).
Source: Human Sator
In a joint operation led by the Human and Google Satori team, Trend Micro, the Shadowserver Foundation and other partners, the Botnet Badbox 2.0 has been disturbed again to prevent more than 500,000 infected devices from communicating with the attacker’s servers.
However, even with this disturbance, the botnet continues to grow as consumers buy more compromised products and connect them to the Internet.
A list of devices known to be affected by badbox malware is listed below:
| Device model | Device model | Device model | Device model |
| TV98 | X96q_max_p | Q96L2 | X96Q2 |
| X96Mini | S168 | UMS512_1h10_natv | X96_s400 |
| X96Mini_rp | Tx3mini | Hy-001 | MX10Pro |
| X96mini_plus1 | Longv_GN7501E | XTV77 | Netbox_b68 |
| X96q_pr01 | AV-M9 | Adt-3 | Ocbn |
| X96Mate_plus | Km1 | X96q_pro | Projector_t6p |
| X96QPro-TM | SP7731E_1H10_Native | M8SPROW | TV008 |
| X96Mini_5g | Q96MAX | Orbsmart_tr43 | Z6 |
| Tvbox | Clever | Km | A15 |
| Transition | Km7 | Isinbox | I96 |
| Smart_tv | Fujicom-SmartTV | MXQ9Pro | Mbox |
| X96q | Isinbox | Mbox | R11 |
| Gaming box | Km6 | X96max_plus2 | TV007 |
| Q9 Stick | SP7731E | H6 | X88 |
| X98K | Txcz |
Symptoms of a BADBOX 2.0 infection include the suspect markets of applications, the Google Play of protective protection deactivated, the television streaming devices announced as being unlocked or capable of accessing free content, unknown brand devices and suspicious internet traffic.
In addition, this malware is commonly found on devices and non -Google Play Protect certified.
The FBI strongly advises consumers to protect themselves from the botnet by following these steps:
- Evaluate all IOT devices connected to domestic networks for a suspicious activity.
- Never download applications from unofficial markets offering “free streaming” applications.
- Monitor Internet traffic to and from reception networks.
- Keep all of your home devices up to date with the latest fixes and updates.
Finally, if you think your device is compromised, you must isolate it from the rest of the network and restrict its Internet access, effectively disturbing malware.
The manual fix is obsolete. It is slow, subject to errors and difficult to evolve.
Join Kandji + Tines on June 4 to see why the old methods fail. See examples of the real world of how modern teams use automation to correct more quickly, reduce the risk, stay in conformity and skip complex scripts.
