Beware! This malware has already infected 1M+ Android devices globally
What's the story
The Federal Bureau of Investigation (FBI) has issued a warning about the Badbox 2.0 malware campaign, which has infected more than one million Android devices globally. The malicious software was first discovered in early 2023 on a T95 Android TV box sold on Amazon. It comes pre-installed with many Chinese-manufactured unbranded Android-powered smart TVs, streaming boxes, tablets, and other Internet of Things (IoT) devices.
Targeted devices
Badbox 2.0 also targets devices with outdated firmware
The FBI's warning comes as a major cybersecurity concern, especially since several Android TVs from popular brands like Hisense and Yandex have also been affected by the Badbox 2.0 malware. Cybersecurity firm Bitsight found that most of the infected devices were in India, China, Russia, Brazil, Ukraine, and Belarus. The Federal Office of Information Security (BSI) in Germany said the malware also targeted devices running on outdated firmware, such as streaming boxes, media players, and digital photo frames.
Malicious intent
How the Badbox botnet operates
The Badbox botnet, believed to be part of the Triada malware family, primarily aims at financial gain through ad fraud and credential theft. It generates revenue for threat actors by automatically clicking on ads in the background and tries to steal accounts using stolen credentials. To hide its malicious activities, the Badbox botnet routes traffic through infected devices, making it difficult to trace where the data is going.
Evolution
Signs of infection and how devices are getting compromised
Badbox 2.0 is an evolved version of the original Badbox network, which has continued to spread despite international agencies cracking down on its operations. Signs of infection include automatic installation of suspicious app marketplaces, disabling Google Play Protect, or streaming devices getting unlimited free access to content. Most infected devices are compromised at the supply chain level, but some are infected through untrusted third-party apps.
Global reach
Authorities disrupted the malware's botnet network last year
Last year, German authorities disrupted the malware's botnet network, but it continues to spread. A security researcher reported in December that Badbox "still seems to be very much alive and spreading." A week after the crackdown, experts reported Badbox was still affecting over 192,000 devices. By March 2025, HUMAN's Satori Threat Intelligence found that the malware had infected over one million consumer devices across more than 222 countries and territories worldwide.