FBI: BadBox 2.0 Malware Pre-Installed on 1M+ Android Devices

The FBI is warning that over one million Android-based streaming devices, tablets, and projectors have been compromised by BadBox 2.0, a malware operation that infects devices before they even leave the factory. Buyers of budget electronics from unfamiliar brands may be purchasing devices that are already enrolled in criminal networks.

The warning follows coordinated disruption efforts by the FBI, Google, Trend Micro, HUMAN Security, and the Shadowserver Foundation, which severed communications between half a million infected devices and their command servers. But the botnet continues growing as more compromised products reach consumers.

Pre-Installed Malware at Scale

BadBox 2.0 differs from typical malware campaigns because the infection happens in the supply chain, not on the user's network. Devices manufactured in mainland China arrive with backdoors already installed in the firmware. Others get compromised during initial setup through malicious firmware updates or apps from unofficial marketplaces.

The infection spans 222 countries, with the highest concentrations in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%). Specific models identified as compromised include TV98, X96Q, X96mini, TX3mini, MX10PRO, KM9PRO, and dozens of others.

Notably, the malware has spread beyond no-name devices. Researchers found infections on Yandex TVs and Hisense smartphones, suggesting the problem extends further into recognizable consumer electronics.

What Infected Devices Do

Once a BadBox 2.0 device connects to a home network, it becomes part of a distributed criminal infrastructure with three primary functions:

Residential Proxy Network: The device routes traffic for other cybercriminals, who pay to use legitimate home IP addresses. This makes their malicious activities—account takeovers, credential stuffing, fraud—harder to detect and block.

Ad Fraud: Background processes load and click on advertisements continuously, generating revenue for the botnet operators while consuming bandwidth and processing power.

2FA Code Theft: Some variants intercept two-factor authentication codes, enabling account compromise for services the device owner actually uses.

The operators can also push additional malware payloads at any time, expanding the device's role in criminal operations.

Google's Lawsuit and Disruption Efforts

Google filed a lawsuit in July 2025 against 25 unidentified defendants operating what it called the "BadBox 2.0 Enterprise"—a botnet of over ten million uncertified Android devices engaged in advertising fraud.

The distinction matters: these aren't devices running official Android TV. They run the Android Open Source Project (AOSP) without Google Play Protect certification. That certification process exists precisely to prevent this kind of supply chain compromise, but budget manufacturers skip it to reduce costs.

Previous disruption efforts have been temporary. Germany's cybersecurity agency sinkholed BadBox communications in 2024, only to find 192,000 devices re-infected within a week. The business model sustains itself because cheap devices keep shipping and consumers keep buying them.

How to Identify Compromised Devices

The FBI recommends checking for these warning signs:

• Strange app marketplaces appear during setup instead of the Google Play Store
• Play Protect shows as disabled and cannot be enabled
• The device is advertised as "unlocked" or capable of "free streaming" from paid services
• Unusual network activity or performance degradation over time
• The brand is unfamiliar or the price seems too good

For devices already deployed, network monitoring can help identify suspicious traffic patterns. Isolating IoT devices on separate network segments limits their access to other systems if compromised.

Stick With Known Brands

Lindsay Kaye, vice president of threat intelligence at HUMAN Security, offered straightforward advice: "It's safest to stick with name brands."

The price difference between a $30 streaming box and an established product like a Roku or Chromecast exists for reasons beyond brand markup. Certification processes, security reviews, and ongoing update support cost money. Manufacturers who skip those steps save on production costs but externalize the security risk to buyers.

For organizations, the same principle applies to any connected device deployed on networks. Uncertified hardware from unknown suppliers introduces supply chain risk that's difficult to assess and nearly impossible to mitigate after deployment.