Millions of Internet-of-Things (IoT) devices running the open-source version of the Android operating system are part of the Badbox 2.0 botnet, the FBI has warned.
Cyber criminals are using the botnet to perform ad fraud and click fraud. Access to and use of the compromised devices is also offered for sale through residential proxy services, which facilitate malware distribution, DDoS attacks, account takeover attacks, fake account creation, etc.
“The Badbox 2.0 threat in particular is compelling in no small part because of the open-season nature of the operation. With the backdoor in place, infected devices could be instructed to carry out any cyberattack a threat actor developed,” researchers with Human Security’s Satori Threat Intelligence and Research Team said in March, when they revealed the pervasiveness of the botnet and its efforts to cripple it.
BadBox: The “prequel”
Human Security’s researchers unveiled the existence of the first Badbox botnet in 2023.
It consisted in mainly of off-brand Android Open Source Project-powered connected TV (CTV) boxes, smartphones and tablets, which had been equipped with the Triada modular backdoor before having been packaged and shipped.
Separately from the pre-installed backdoor, the researchers also discovered many Android, iOS, and CTV apps equipped with the Peachpit ad fraud module, which had been tied to the BadBox operation.
Disruptive actions were undertaken by Human, Google and Apple, but the former noted that the botnet is likely to rise again, as the Triada/Badbox backdoor cannot be uninstalled, since it’s embedded in a non-writable partition of the devices’ firmware.
In late 2024, Germany’s Federal Office for Information Security (BSI) temporarily disrupted the botnet by interrupting communication between the Badbox-equipped devices and the botnet’s command and control (C2) server but the impact obviously wasn’t long-lasting.
In March 2025, Human Security, Google, Trend Micro, Shadowserver, and other partners partially disrupted Badbox 2.0 operations, but again warned that the threat actors behind Badbox and Badbox 2.0 are likely to adapt again and relaunch their operations – and they were right.
“The disruption efforts led by Human and partners cannot dismantle the supply chain that enables these threat actors to implant the backdoor into devices destined for consumer hands,” the company added.
Is your device part of Badbox 2.0?
Devices connected to the Badbox 2.0 operation include cheap, off-brand, uncertified tablets, TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames and other products.
The devices are manufactured in mainland China and shipped globally.
More than a third of them are located in Brazil, where low-cost Android Open Source Project devices are particularly popular, Human Security found. “Other countries with significant numbers include the United States, Mexico, Argentina, and Colombia.”
Among the infected devices are the following device models:
Badbox-infected device models (Source: Human Security)
Apart from the backdoor, some devices also download seemingly legitimate but malicious apps from unofficial app marketplaces (e.g., “Earn Extra Income”, “Pregnancy Ovulation Calculator”). “Twins” of those same apps, with the same names, have also been found in Google’s official Play app store, but they didn’t contain the ad fraud modules.
FBI told users that they should consider the possibility that their devices are infected if:
- They have suspicious app marketplaces or apps installed
- They asked users to disable Google Play Protect or are not Play Protect certified
- Are generic TV streaming devices that have been advertised as unlocked or capable of accessing free content
- Have been sold under unrecognizable brands
- The users have detected unexplained or suspicious internet traffic.
“The public is urged to evaluate IoT devices in their home for any indications of compromise and consider disconnecting suspicious devices from their networks,” the FBI advised.
They also urged users to assess all IoT devices connected to home networks for suspicious activity, avoid downloading apps from unofficial marketplaces, and to regularly update their IoT devices.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
