The FBI has issued a new warning about the BadBox 2.0 malware, which has already infected millions of internet-connected devices worldwide.
Although BadBox is not a new threat, its evolution and the discovery of its presence in even more devices have raised concerns. This botnet targets consumer electronics such as smart TVs, projectors, tablets, and low-cost IoT devices—most of them manufactured in China and running the Android operating system.
What’s most alarming is that many of these devices come pre-infected from the factory or become compromised later through the installation of malicious apps or firmware updates. Once infected, the devices turn into nodes of a residential proxy network, used by cybercriminals to hide their identity and conduct illegal activities.
“The BadBox 2.0 botnet includes millions of compromised devices and multiple backdoors that allow attackers to sell or use access to other people’s home networks,” the FBI warns.
How does it happen? It’s simple: you buy a cheap device, turn it on, download a few apps, and without knowing it, the device is already connected to the attackers’ command and control servers, which direct it on what to do. From there, your network can be used to send spam, launch attacks, or even spy on you.
The FBI stresses that the danger lies in the fact that once these devices are inside your Wi-Fi network, they can act as silent “Trojan horses.” BadBox 2.0 not only infiltrates your device—it puts it to work without your knowledge. For example:
Invisible proxy networks: Redirects other criminals’ traffic through your internet connection, making it look like the malicious activity is coming from your home.
Ad fraud: Opens and clicks on ads without your awareness, generating revenue for attackers while consuming your bandwidth.
Credential stuffing: Uses your IP address to try logging into other people’s accounts with stolen passwords. This helps bypass some security systems that block login attempts from suspicious IPs.
It all began in 2023, when it was first detected in certain cheap Android TV devices that were already infected straight from the factory. Over time, the network of compromised devices grew until, in 2024, authorities in Germany managed to disrupt part of the operation by blocking communication between the devices and the attackers’ servers.
But that was only a temporary relief. Just a week later, researchers found the malware active on nearly 200,000 more devices. And this time, it wasn’t just unknown brands—models from more popular manufacturers like Yandex TVs and Hisense phones were also affected.
Far from disappearing, BadBox evolved and came back stronger. This new phase is known as BadBox 2.0, and by March 2025, it had already infiltrated over a million devices worldwide. Which ones? Cheap tablets, TV set-top boxes, digital projectors, and many other uncertified generic-brand gadgets—most of them manufactured in China.
It’s important to clarify that these are not devices with Google-certified Android (such as those protected by Play Protect), but rather versions of the open-source Android system, which are more vulnerable and easier to modify.
According to analysis, this network of compromised devices has been detected in 222 countries and territories. The most affected regions are:
Brazil: 37.6% of cases
United States: 18.2%
Mexico: 6.3%
Argentina: 5.3%
This shows that the problem is global, and anyone could be part of this network without even knowing it.
Global Distribution of BADBOX 2.0 (Source: Human Satori)
In a joint operation involving the cybersecurity team at Satori, along with Google, Trend Micro, Shadowserver, and other specialists, over 500,000 infected devices were successfully blocked from communicating with the attackers’ servers. This marked a significant step in slowing the spread of BadBox 2.0—but the problem is far from over.
Despite these efforts, the threat continues to grow. Why? Because many people are still buying devices that come pre-infected from the factory. They connect them to their Wi-Fi network… and that’s it! The botnet keeps expanding with new devices, and no one even notices.
| 📱 Model 1 | 📱 Model 2 | 📱 Model 3 | 📱 Model 4 |
|---|---|---|---|
| TV98 | X96Q_Max_P | Q96L2 | X96Q2 |
| X96mini | S168 | ums512_1h10_Natv | X96_S400 |
| X96mini_RP | TX3mini | HY-001 | MX10PRO |
| X96mini_Plus1 | LongTV_GN7501E | Xtv77 | NETBOX_B68 |
| X96Q_PR01 | AV-M9 | ADT-3 | OCBN |
| X96MATE_PLUS | KM1 | X96Q_PRO | Projector_T6P |
| X96QPRO-TM | sp7731e_1h10_native | M8SPROW | TV008 |
| X96Mini_5G | Q96MAX | Orbsmart_TR43 | Z6 |
| TVBOX | Elegant | KM9PRO | A15 |
| Transvelocity | KM7 | iSinbox | I96 |
| Smart TV | Fujicom-SmartTV | MXQ9PRO | MBOX |
| X96Q | isinbox | Mbox | R11 |
| Game box | KM6 | X96Max_Plus2 | TV007 |
| Q9 Stick | SP7731E | H6 | X88 |
| X98K | TXCZ |
Read more: Crocodrilus Malware Creates Fake Contacts to Deceive via Phone
There are several signs that can help you determine if something is wrong:
Strange apps appear that you never downloaded.
The device comes with Google Play Protect disabled, or it's not certified at all.
It was marketed as “unlocked” or offering free access to paid services.
Your internet network behaves oddly, as if it's constantly sending or receiving data.
The device brand sounds generic or completely unfamiliar.
Here are a few simple but effective steps to help keep your home network secure:
Check all devices connected to your Wi-Fi network. If you see something suspicious or unrecognized, investigate it thoroughly.
Avoid installing apps from unofficial stores. If an app promises free access to normally paid content, something is probably off.
Monitor your home internet traffic. Some routers or apps can help you see if a device is transmitting data without a clear reason.
Keep all your devices updated. While it may be tedious, updates often fix critical security flaws.
If you suspect a device is infected, disconnect it from the internet. This will halt the malware’s activity and prevent communication with the attackers.
In Short: If you're going to buy a TV box, tablet, or any other budget Android device, make sure it's from a trusted brand and has Google certification. Because when it comes to digital security, cheap can turn out to be very expensive.