A widespread malware campaign is currently affecting millions of smart home devices, including TVs, streaming boxes, and tablets running Android software. A recent FBI alert warns consumers about the BADBOX 2.0 botnet, which spreads through the Internet of Things (IoT) and gives threat actors access to home networks to conduct malicious activity.
Here’s what you need to know to protect your system and devices from BADBOX 2.0.
How BADBOX 2.0 works
BADBOX 2.0 is a malware campaign that targets consumer devices, most of which are low-cost, “off-brand” smart home electronics—smart TVs, digital projectors, picture frames, and tablets, for example—running on Android Open Source Project (AOSP). Once infected, the devices are connected to the threat actors’ command-and-control servers and become part of a botnet.
According to a report from HUMAN’s Satori Threat Intelligence and Research team, attacks may then be carried out in a number of forms: programmatic ad and click fraud, which loads and clicks ads in the background to generate revenue; and residential proxy services, allowing for account takeover, fake account creation, one-time password theft, and malware distribution. For example , threat actors can route traffic through a victim’s home IP address to hide malicious activity or use stolen data in credential stuffing attacks.
The current threat is an evolution of the original BADBOX malware, first identified in 2023, that came pre-loaded on devices prior to purchase. BADBOX 2.0 can spread through malicious Android apps found on Google Play and third-party app stores. The malware can also be downloaded from attack servers and installed upon initial startup.
The scheme has affected more than a million devices around the world, all of which were manufactured in China and running AOSP. At this time, none of the devices known to be infected are particularly mainstream (i.e., not Play Protect certified Android devices), but they are still popular in many countries, and there’s nothing to preclude a spread to other models.
How to prevent a BADBOX 2.0 infection
If you have any of the devices known to be affected by BADBOX 2.0, you should certainly look for signs of malicious activity. According to the FBI notice, possible indicators include unexplained or suspicious internet traffic, the presence of suspicious app marketplaces, and Google Play Protect settings being disabled. You should also be wary of purchasing or connecting streaming devices sold as “unlocked,” Android devices that aren’t Play Protect certified, and IoT devices from brands you don’t recognize.
Other security best practices include keeping all operating systems up to date with patches and security fixes for known vulnerabilities and downloading apps only from trusted, official marketplaces (don’t fall for “free streaming” apps). You should also keep an eye on network traffic to catch anything suspicious and isolate any devices that may be compromised as quickly as possible.
