
The FBI has sounded the alarm: over one million household devices across the globe have been infected with the BADBOX 2.0 malware, which transforms ordinary electronics into tools of cybercriminal enterprises. At particular risk are inexpensive Chinese-manufactured Android devices, including televisions, media players, projectors, tablets, and various IoT gadgets.
The core of the attack lies in the exploitation of compromised devices as residential proxies—allowing malicious actors to obscure their digital activities by rerouting harmful traffic through the IP addresses of unsuspecting users. In addition, infected hardware is enlisted in click fraud operations, automated ad viewing schemes, and credential-stuffing attacks utilizing previously stolen passwords.
What makes BADBOX 2.0 especially insidious is the method of infection. The malware can be pre-installed on a device before purchase—either at the factory level or during the installation of software updates or third-party applications. Experts emphasize that the majority of infections occur during the device’s initial setup, when it downloads essential apps that harbor a backdoor.
Upon activation, the malware connects to command-and-control servers operated by the attackers, receiving further instructions for exploitation. Chief among its functions is participation in proxy networks through which criminals conduct anonymous online activity—concealing mass website attacks, perpetrating advertising fraud, and utilizing hijacked IP addresses for brute-force intrusions.
The earliest instances of BADBOX infections were detected as early as 2023, primarily on low-cost Android TV boxes like the T95. At that time, German cybersecurity experts managed to disrupt its operations by sinkholing the control servers. However, within a week, new variants of BADBOX emerged on over 192,000 devices, including products from more prominent brands such as Hisense and even Yandex TV.
By early 2025, infection rates had surpassed one million devices, according to analysts at HUMAN Satori Threat Intelligence. BADBOX 2.0 has become a global concern, with infections documented in 222 countries and territories. Leading the statistics are Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).
All affected devices operate on the open-source Android Open Source Project (AOSP), rather than the certified Android TV OS—meaning they lack Google Play Protect defenses. Most originate from Chinese factories and are distributed globally under dozens of obscure brand names.
Among the infected models are dozens of devices, including the X96Q, X96mini, TX3mini, MX10PRO, Smart TVs from Fujicom, and others listed in the HUMAN report. Many are marketed as “unlocked” or “free content supported,” which heightens consumer interest but simultaneously increases vulnerability.
Infection can often be identified through telltale signs: suspicious applications, disabled Google protections, unusual network activity, or unfamiliar device branding. Even a generic model name like “TVBOX” or “Smart” may signal potential compromise.
In March 2025, Google, HUMAN, Trend Micro, and The Shadowserver Foundation conducted a joint operation, temporarily severing communication between more than 500,000 devices and their command servers. Despite the initiative’s success, newly infected devices continue to join the BADBOX 2.0 network, and the threat remains active.
The FBI urges all IoT device owners to promptly inspect their equipment, refrain from installing apps from untrusted sources, and monitor home network traffic vigilantly. At the first sign of compromise, users are advised to immediately disconnect the device from the internet, which may sever its connection to the botnet and disrupt remote control by malicious actors.