Sinister BADBOX Malware Infected Over 1M Android Devices, Is Yours One?

06 Jun 2025, 18:50 by Zak Killian · HotHardware

A new variant of the BADBOX malware campaign has taken root in over a million Android-based devices worldwide, and if you’ve picked up a cheap smart TV box or projector off Amazon or AliExpress lately, you might be part of the problem. BADBOX 2.0 is a sprawling botnet targeting Android Open Source Project (AOSP) devices—not certified Android TV gear—and it's converting them into residential proxies for cybercrime. It’s now the largest botnet leveraging connected TV (CTV) devices, and it’s big enough that even the FBI has issued a public warning.

What’s wild is how these devices get infected. Sometimes, it’s snuck in during setup via fake firmware updates or sketchy apps that bypass Google’s vetting, but more often than not these devices simply ship with the malware already baked in. Once compromised, they hook into remote command-and-control servers, allowing attackers to push out commands for all kinds of shady business: ad fraud, credential stuffing, and hiding malicious traffic behind your home IP address.

The infections are concentrated in budget hardware—unbranded tablets, sketchy CTV boxes, and off-market smartphones—almost exclusively manufactured in mainland China and then shipped globally. HUMAN Security’s Satori team observed BADBOX 2.0 activity in 222 countries and territories, with Brazil, the U.S., Mexico, and Argentina leading the chart. This thing is global, and it’s not just fringe gear anymore; even some Hisense and Yandex-branded devices were caught with infections.

Despite a partial takedown by Google, Trend Micro, Shadowserver, Human, and others that sinkholed a chunk of the botnet, the operation marches on. The criminals behind it are still pumping out infected devices, and consumers are unknowingly plugging them into their networks every day. Think of it like buying a new toaster, only it phones home to Shanghai every 20 minutes. The FBI’s own advisory warns that once these devices join your home network, they’re fair game for exploitation.

Chart compiled by HUMAN Security's Satori Investigation team.

You’ll want to keep an eye out for the telltale signs: devices with dodgy app stores, devices where Google Play Protect is disabled or altogether absent, or especially marketing that promises "free streaming." Generally speaking, if it looks too good to be true, it probably comes with a backdoor. Your best defense? Stick to certified gear, avoid third-party app stores unless you really know what you're doing, and monitor your network traffic.

If you think you’ve got a bad egg in your setup, unplug it from the network immediately and keep it isolated. There’s no universal fix, and a factory reset probably won’t help if the malware lives in the firmware.