Skip to content

Badbox 2.0 Android malware found infecting millions of devices, FBI issues warning

  • by
  • 2 min read

The FBI has issued a warning against the Badbox 2.0 malware campaign, which has reportedly infected over a million internet-connected devices commonly found on home networks. The botnet aims to turn regular, consumer-use devices into residential proxies, which are provided to hackers for malicious purposes.

The botnet generally consists of Chinese Android smart TVs, streaming boxes, tablets, and other Internet of Things (IoT) devices that sell at a fraction of the cost of comparable devices from big-name manufacturers and offer the same functionality. However, these devices either come preloaded with the Badbox 2.0 malware that registers them on the botnet once activated or get infected after the malware is pushed via firmware or software updates coming from both Google Play and third-party app stores.

Once the malware activates, the device connects to the attacker’s command and control (C2) servers and can carry out various activities on the infected device, including setting up residential proxy networks, loading and clicking ads in the background, and carrying out credential stuffing attacks.

Photo: whatawin/shutterstock. Com
Photo: WhataWin/Shutterstock.com

Residential proxy networks let hackers route their traffic via residential networks, throwing off investigators and making it appear as if someone else is behind their activity. Such botnets can also be repurposed to carry out large-scale DDoS attacks that can knock even the biggest servers down.

FBI’s warning aside, multiple law enforcement agencies have tried taking down the botnet in the past. In 2024, Germany’s cybersecurity agencies were able to disrupt the botnet in the country, but it was found running on hundreds of thousands of devices again in a few weeks’ time.

A report from Satori Threat Intelligence estimates that the botnet has affected more than one million consumer devices by March 2025. This is a newer botnet compared to its predecessor, the original Badbox campaign, which ran on fewer devices and was found on mostly cheap, no-name Android TV boxes.

In the News: 20 suspects arrested for distributing child sexual abuse content

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

20 suspects arrested for distributing child sexual abuse content

This is an image of vodafone featured 131

Vodafone Germany fined $51 million for failing to protect user data

This is an image of dark web hacker security

Interlock ransomware claims Kettering health attack

This is an image of kiranapro featured

Online grocery shop KiranaPro hacked; AWS and GitHub code wiped

This is an image of cyber security hacked breach

Critical Roundcube webmail flaw went undetected for 10 years

This is an image of linux logs feature

Novel Linux vulnerabilities allow password hash theft

>