Chinese IoT Consumer Devices Are The Playground For BadBox 2.0

The Federal Bureau of Investigation (FBI) has recently alerted the public about cyber criminals exploiting Internet of Things (IoT) devices connected to home networks through the BadBox 2.0 botnet. These criminals gain unauthorized access to home networks by compromising IoT devices such as TV streaming devices, digital projectors, after-market vehicle infotainment systems, digital picture frames, and other similar products. Most of the infected devices originate from manufacturers based in China.

Cybercriminals typically compromise these devices by installing malicious software before purchase or infecting them during the initial setup process, when the devices download applications that contain hidden backdoors. Once connected to a home network, these compromised devices become part of the BadBox 2.0 botnet and associated residential proxy services, both facilitating malicious activity.

Investigators discovered BadBox 2.0 after disrupting the original BadBox campaign in 2024. First identified in 2023, the initial BadBox campaign focused on Android operating system devices preloaded with backdoor malware. BadBox 2.0 expands on this threat by not only compromising devices prior to purchase but also infecting devices through malicious apps downloaded from unofficial marketplaces.

The BadBox 2.0 botnet comprises millions of infected devices and includes numerous backdoors to residential proxy services. Cybercriminals exploit these compromised networks by selling or providing free access to them for a variety of criminal purposes, from malware distribution to carrying out Distributed Denial of Service (DDoS) attacks.

The FBI has urged the public to investigate their home IoT devices for signs of compromise and to disconnect any suspicious devices from their networks. While a single indicator may not confirm malicious activity, the following signs could suggest involvement with the BadBox 2.0 botnet:

• Use of suspicious app marketplaces
• Disabling Google Play Protect settings
• Generic TV streaming devices advertised as "unlocked" or offering free content
• IoT devices from unrecognized brands
• Android devices lacking Play Protect certification
• Unusual or unexplained internet traffic

Further, the FBI recommends the following strategies to reduce the risk of unauthorized access through residential proxy networks:

• Monitor and maintain awareness of internet traffic on home networks
• Assess all connected IoT devices for signs of suspicious activity
• Avoid downloading apps from unofficial marketplaces, especially those offering free streaming content
• Keep all operating systems, software, and firmware updated. Timely patching of vulnerabilities—particularly in firewalls and internet-facing systems—is among the most effective and cost-efficient cybersecurity measures.

BadBox 2.0 Frustratingly Resilient

Returning to BadBox's discovery in greater detail, Bleeping Computer reported that Daniel Milisic, a Canadian security researcher, discovered that an Android TV box he purchased from Amazon came pre-installed with persistent, sophisticated malware embedded in its firmware. The device in question is the T95 Android TV box, which utilizes an AllWinner T616 processor and is widely available through major e-commerce platforms like Amazon and AliExpress.

Milisic found that the T95 streaming device operated on an Android 10-based ROM signed with test keys and had the Android Debug Bridge (ADB) open over both Ethernet and Wi-Fi. This configuration is concerning, as ADB can grant unrestricted access to the device's file system, allowing for command execution, software installation, data modification, and remote control.

Although most consumer streaming devices are typically protected behind a firewall, which would prevent remote ADB connections, such vulnerabilities are alarming. The malware discovered on these compromised IoT devices later became colloquially known as BadBox.

In December 2024, Germany's Federal Office for Information Security (BSI) disrupted the BadBox malware operation, which had infected over 30,000 Android IoT devices sold in the country. The BSI implemented a sink-holing measure to block communication between the infected devices and the malware's servers, effectively preventing further exploitation.

They also advised consumers to disconnect affected devices from the internet and cease using them. The incident highlights the risks associated with outdated firmware and emphasizes the importance of purchasing devices from reputable manufacturers that offer long-term security support.

Again, in March 2025, BadBox operations were disrupted. This time, a coordinated cybersecurity operation led by Human Security's Satori Threat Intelligence team, in collaboration with Google, Trend Micro, and the Shadowserver Foundation, disrupted the BadBox 2.0 Android malware botnet. This effort involved removing 24 malicious apps from the Google Play Store and sinkhole communications for over 500,000 infected devices.

Despite previous disruptions, including a significant effort by German authorities in December 2024, the botnet demonstrated resilience. Infections spread to over 1 million devices across 222 countries, with the highest infection rates observed in Brazil, the United States, Mexico, and Argentina.

Human Security's investigation revealed that the malware operators employed deceptive tactics, such as creating "evil twin" apps that mimic legitimate applications to distribute malware. These fraudulent apps were used to conduct cybercrimes like ad fraud and to expand the botnet's reach.

Security researchers warned then that the recent disruption had significantly impacted BadBox 2.0's operations. The threat persists; the recent FBI warning underscores this reality. This is particularly true considering malware threat actors favoring uncertified devices lacking Google's Play Protect security features, especially on cheaper consumer electronic goods.