A sophisticated new variant of the BADBOX malware has successfully compromised over one million Android devices across many different continents. The Federal Bureau of Investigation is now warning that this campaign has infected millions of home Internet-connected consumer electronics. This widespread BADBOX botnet is commonly found on many Chinese Android-based smart TVs, various streaming boxes, projectors, and tablets. The campaign represents one of the most significant mobile security breaches of 2025, with active infections reported in 222 countries. The highest concentration of these compromised devices are currently located in Brazil, the United States, Mexico, and also in Argentina.
These various consumer electronic devices often come preloaded with the BADBOX 2.0 malware botnet before they are even purchased by users. They can also become infected after installing certain malicious firmware updates or through various Android applications that sneak onto app stores. The FBI explains that many cybercriminals gain unauthorized access to home networks by configuring the product with malicious software before its sale. Once these compromised Internet of Things devices are connected to home networks, they become part of the botnet’s residential proxy services. These infected devices then connect to the attacker’s command and control servers, where they await commands to execute various malicious activities.
Once under the attacker’s full control, the botnet is then used for several malicious activities, including creating large-scale residential proxy networks. This malware routes internet traffic from other cybercriminals through the victims’ home IP addresses, effectively masking their own malicious online activity. The botnet also regularly performs ad fraud by loading and clicking on advertisements in the background, generating illicit ad revenue for operators. BADBOX 2.0 evolved from the original malware which was first identified in 2023, and despite a German disruption effort, it grew. A recent joint operation has since disrupted over 500,000 infected devices, but the botnet unfortunately continues to expand its global reach.
The most concerning aspect of BADBOX 2.0 lies in its highly sophisticated persistence mechanisms that allow it to survive factory resets. The malware effectively achieves this by exploiting previously unknown vulnerabilities within the standard Android bootloader verification process to install itself deeply. It installs as a persistent system-level service that masquerades as legitimate Android framework components and even creates backup copies of itself. The FBI strongly advises all consumers to assess IoT devices connected to their home networks for any kind of suspicious online activity. Users should never download applications from unofficial marketplaces and always keep all of their various devices updated with the latest security patches.
Reference:
