Key Takeaways<\/p>\n
- \n
- The FBI has warned users of BADBOX 2.0 \u2013 a malicious software that infects home devices like TVs, streaming devices, and vehicle infotainment systems.<\/li>\n
- Once compromised, these devices are added to the botnet network and used as proxies for malicious activities.<\/li>\n
- Users need to practice vigilance by avoiding purchases from unrecognized brands and checking network traffic for suspicious activity.<\/li>\n<\/ul>\n<\/div>\n
![\"software](\"https:\/\/techreport.com\/wp-content\/uploads\/2025\/06\/fbi-warning-badbox2-iot-cyberattack-1200x686.jpg\")
\n<\/picture>\n<\/figure>\nThe Federal Bureau of Investigation (FBI) has issued an advisory, warning the public about the BADBOX 2.0 botnet, which is on a rampage compromising IoT devices in residential properties.\u00a0<\/p>\n
Devices like digital projectors, TV streaming devices, digital picture frames, and vehicle infotainment systems (most of which come from China) are most vulnerable to this attack.<\/p>\n
There are two ways your devices can be infected:<\/p>\n
- \n
- They could come pre-installed with the malicious software.\u00a0<\/li>\n
- Or you may unwittingly infect them yourself by downloading unrecognized and unverified software from compromised app marketplaces.<\/li>\n<\/ul>\n
When the HUMAN Security\u2019s Satori Threat Intelligence team sourced devices from retailers for research, around 80% were found to be pre-infected with BADBOX (during the initial attack campaign).<\/p>\n
This particular bad actor seems to be one step ahead of the original BADBOX campaign, which was successfully neutralized in 2024. The earlier version of this cyberattack only involved devices that came pre-installed with these malicious backdoors. However, threat actors can now infect devices through authorized app downloads as well.<\/p>\n
Once the device is compromised, it\u2019s added to the large botnet of infected devices, each of which acts as a proxy node. Threat actors and cybercriminals then use these compromised devices for illegal activities (like ad fraud, remote code installation, and creating fake email accounts).<\/p>\n
Criminals route traffic through these compromised devices to hide their original IP addresses and locations. The worst thing is that all of this happens without your knowledge. In the process, threat actors can also access your internet data and private information from the compromised home network.<\/p>\n
Software Brief History of BADBOX and PEACHPIT<\/h2>\n
The original BADBOX campaign was detected as early as 2016. It relied heavily on the Trada malware, which has Chinese origins. HUMAN Security\u2019s team found that as many as 74,000 Android devices<\/u> were infected with BADBOX in that period. <\/p>\n
These devices had pre-installed embedded backdoors, which were set up to communicate with command and control (C2) servers monitored by the hackers.<\/p>\n
The primary purpose of these backdoors was to run widespread ad fraud on compromised devices. A key component of the initial BADBOX campaign was the PEACHPIT ad fraud module, with the primary aim of generating illicit ad revenue for attackers.<\/p>\n
The PEACHPIT module was downloaded into BADBOX-compromised devices and controlled through C2 servers. The PEACHPIT model infected as many as 280,000 devices<\/u>, sending a massive 9B fraud requests every day<\/em>.<\/p>\n
However, this doesn\u2019t mean that devices not infected by BADBOX were safe. PEACHPIT also contained 39 malicious applications, which were downloaded around 15M times in 227 countries<\/u>, which included iOS devices as well. During peak infection, these apps sent around 4B ad requests every day.<\/p>\n
As per HUMAN Security\u2019s findings, the BADBOX backdoor didn\u2019t affect iOS devices; instead, only the PEACHPIT apps available for download from many major app marketplaces impacted them.<\/p>\n
However, the ad fraud with BADBOX 2.0 is far more sophisticated than its predecessor. <\/em><\/strong><\/p>\n
Malicious parties are resorting to hidden web view ad fraud, which loads advertisements in invisible web view components. The user is completely unaware of this until it\u2019s too late because the adds are often placed off-screen or behind other elements.\u00a0<\/p>\n
Another method includes click fraud, where the hackers trick users into clicking on hidden ads or advertisements through automated scripts.<\/p>\n
Software Extent of the BADBOX 2.0 Damage<\/h2>\n
HUMAN\u2019s team has found more than 1M devices infected with BADBOX 2.0 so far, which is significantly more than the 74K infected during the first campaign. Besides the extensive app marketplace and ad frauds, attackers have also built an \u2018entire fraudulent ecosystem\u2019 of 200 backdoors, significantly expanding the attack area compared to its predecessor.<\/p>\n
In addition to ad fraud and proxyjacking, the compromised devices can also steal Personally Identifiable Information (PII), including OTPs, through keylogging and phishing attacks.<\/p>\n
Surprisingly, threat actors can use compromised devices to create fake Gmail and WhatsApp accounts by stealing these OTPs. <\/p>\n
They can then create new fake apps and stage cybercrimes that would trace back to the owner of the device (covering their tracks). They can also sign up for limited-access WhatsApp channels (likely to steal confidential info).<\/p>\n
Needless to say, attackers can send C2 commands for complete account takeovers and use the devices for Distributed Denial-of-Service (DDoS) attacks and distribute other malware.<\/p>\n
As you can see, the extent of BADBOX\u2019s current version is significantly more than just an ad fraud tool \u2013 cybercriminals have designed the BADBOX 2.0 as a vehicle for widespread illicit monetization by hook or by crook.<\/p>\n
Software How to Identify and Protect Against BADBOX 2.0?<\/h2>\n
Here are three ways you can keep yourself protected against the cybercriminals\u2019 latest weapon.<\/p>\n
1. Only Buy from Reputable Providers<\/h3>\n
Most of the compromised devices come from China and go for sale under unknown or anonymous brand names. For instance, most cases of BADBOX 2.0 are seen on the \u2018TV98\u2019 and \u2018X96\u2019 brands of these Android devices.<\/p>\n
A major reason behind choosing these devices is because they\u2019re subject to looser security measures during production. This makes them more vulnerable to BADBOX-type attacks.<\/p>\n
So, a good rule of thumb is to buy devices only from reputable brands that you know and trust. A bit of online research, including skimming through YouTube reviews, can save you a massive headache later.<\/p>\n
2. Do NOT Disable Google Play Protect<\/h3>\n
When installing new software for your IoT devices, never (and I do mean \u2018never\u2019) disable Play Protect. That\u2019s one of the biggest red flags you can get.<\/p>\n
Play Protect scans apps on your phone for malicious behavior and warns you if any suspicious installation takes place. It also works for side-loading, i.e., installing apps outside of the Google Play Store.<\/p>\n
![\"software](\"https:\/\/techreport.com\/wp-content\/uploads\/2025\/06\/Google-Play-Protect-1200x675.jpg\")
\n<\/picture>Source<\/em> \u2013 Android Developers<\/em><\/figcaption><\/figure>\n Disabling Play Protect makes it extremely difficult to track rootkits, backdoors, and keyloggers, which is exactly what threat actors need to infiltrate your device. So, the only plausible reason your device might be asking you to disable Play Protect is that it wants to install malicious software.\u00a0<\/p>\n
Next, if you notice the device downloading apps from unrecognized app marketplaces, it\u2019s best to stop the installation immediately. <\/p>\n
Unlike the Google Play Store, other marketplaces may not implement the best security practices or vet and authorize each app. And you also run the risk of accessing a fake marketplace built specially designed by the hackers to trick you into installing malware.<\/p>\n
3. Check Network Traffic<\/h3>\n
If you think hackers might have infiltrated, don\u2019t worry. There\u2019s a way you can get to the bottom of this by checking your device\u2019s network traffic.<\/p>\n
Use a free network scanner app (like this one), which will scan your local network and list all connected devices. This will allow you to identify any unknown devices and make sure no one;\u2019s watching from the shadows.<\/p>\n
Additionally, you can check your device\u2019s bandwidth usage and connection history to recognize unusual patterns, such as increased traffic during odd hours.<\/p>\n
Software BADBOX 2.0, A Bigger Issue than It Seems<\/h2>\n
The BADBOX 2.0 campaign isn\u2019t just the work of a single organization but a collaborative effort of at least four major cybercriminal groups.<\/p>\n
- \n
- The SalesTracker Group is primarily responsible for managing C2 servers and infrastructures.\u00a0<\/li>\n
- The MoYu Group is the one that developed sophisticated backdoors used in these attacks.\u00a0<\/li>\n
- The Lemon group monetizes compromised devices through ad fraud and proxy services.\u00a0<\/li>\n
- Lastly, LongTV-backed applications were the ones found hidden in the ad fraud campaigns.<\/li>\n<\/ul>\n
We also believe the FBI hasn\u2019t emphasized nearly enough the fact that the devices come pre-configured with malware before they reach the consumers (that being you). This makes it more than just a cybersecurity issue; it\u2019s a breach of the supply chain integrity.<\/p>\n
In addition to raising eyebrows about security of low-cost IoT devices, it also fuels speculation that all of this could be state-backed.<\/p>\n
Something else to think about is that once the hackers compromise the devices, they sell them on the dark web as residential IPs. This means that many US households are becoming launchpads and hideouts for cybercriminals to carry out more sophisticated attacks.\u00a0<\/p>\n
All in all, the issue is certainly deeper (and scarier) than at first glance. If researchers don\u2019t find a fix for BADBOX, millions of innocent, non-tech-savvy Americans will remain at risk.<\/p>\n
While the FBI is currently downplaying the situation, we wait for a permanent resolution or disruption of the entire BADBOX 2.0 operation.<\/p>\n
\n\n![\"software](\"https:\/\/techreport.com\/wp-content\/uploads\/2022\/11\/avatar_user_154_1669717118-250x250.jpg\")
\n <\/p>\n<\/p><\/div>\n\n Krishi is a seasoned tech journalist with over four years of experience writing about PC hardware, consumer technology, and artificial intelligence.\u00a0 Clarity and accessibility are at the core of Krishi\u2019s writing style.
\nHe believes technology writing should empower readers\u2014not confuse them\u2014and he\u2019s committed to ensuring his content is always easy to understand without sacrificing accuracy or depth.
\nOver the years, Krishi has contributed to some of the most reputable names in the industry, including Techopedia, TechRadar, and Tom\u2019s Guide. A man of many talents, Krishi has also proven his mettle as a crypto writer, tackling complex topics with both ease and zeal. His work spans various formats\u2014from in-depth explainers and news coverage to feature pieces and buying guides.\u00a0
\nBehind the scenes, Krishi operates from a dual-monitor setup (including a 29-inch LG UltraWide) that\u2019s always buzzing with news feeds, technical documentation, and research notes, as well as the occasional gaming sessions that keep him fresh.\u00a0
\nKrishi thrives on staying current, always ready to dive into the latest announcements, industry shifts, and their far-reaching impacts.\u00a0 When he’s not deep into research on the latest PC hardware news, Krishi would love to chat with you about day trading and the financial markets\u2014oh! And cricket, as well.\n <\/p>\nView all articles by Krishi Chowdhary
\n