The FBI’s June 5, 2025, Public Service Announcement exposes a widespread cybersecurity campaign involving weaponised Internet of Things (IoT) devices.
According to the alert (I-060525-PSA), criminal groups have compromised millions of consumer-grade electronic devices. These include low-cost, off-brand TV sticks, digital projectors, vehicle infotainment units, and other Android-based gadgets.
Once infected, they operate as covert components of a cybercriminal infrastructure, routing illicit traffic and masking attacks under the guise of residential IP addresses.
What is BADBOX 2.0?
BADBOX 2.0 is the evolution of the original BADBOX malware campaign, which was disrupted in 2024. But unlike its predecessor, this version employs a dual infection strategy.
This is before and after purchase, to maximise its footprint and avoid detection. According to the FBI, the following is how perpetrators infect gadgets:
Pre‑sale infection
Manufacturers in China and other countries often operate with minimal regulatory oversight. They embed malicious firmware directly into devices during the production process.
These infections affect hardware running the Android Open Source Project (AOSP), which lacks Google’s proprietary security layers, such as Play Protect. Because the malware resides at the system level, traditional antivirus tools rarely detect it.
Post‑sale infection
Once a user powers on a BADBOX 2.0 tainted gadget, the infection deepens. The interface prompts them to sideload third-party apps from unofficial marketplaces. These are under the guise of enabling “enhanced features” or “free content.”
The setup flow actively encourages people to disable Google Play Protect, stripping the device of its primary malware detection mechanism. After being installed, these apps connect to command-and-control servers.
The devices join a sprawling proxy network, offering up their real home IP addresses. These are used for tasks like click‑fraud, ad‑fraud, credential stuffing, bot‑driven scraping, and even DDoS attacks, with traffic routed through legitimate‑looking endpoints.
WiRED’s interview with Human Security CISO Gavin Reid sheds light: “The main way they are monetising the million devices is reselling this proxy service… Victims don’t know that they’re a proxy; they never agreed to be a proxy service, but they’re being used for that.”
Identifying a compromised device: Red flags to check for
The FBI lists several indicators that a streaming device may be part of BADBOX 2.0:
- Sideloaded or third‑party app marketplaces: Standard Android TV devices use the Google Play Store. Devices that feature alternative app markets, often labelled as “unlocked,” “free content,” or “pre‑loaded,” are major red flags. These marketplaces frequently distribute backdoor-laced apps, with BADBOX 2.0 devices typically offering hundreds of such apps.
- Requests to disable Google Play Protect: BADBOX setup flows often instruct users to turn off Google Play Protect, a built-in malware defence system. Without this protection, devices are left vulnerable to externally injected backdoors.
- Generic, unlocked TV boxes promising “free content”: Devices marketed heavily on price and unlocked status are common infection points. These boxes often promise Netflix, IPTV, and free live TV, but typically lack credible vendor certification.
- Unbranded or unfamiliar manufacturers: A device with no reputable brand name or clear manufacturer credibility is suspect. FBI states that most BADBOX-affected hardware comes from unverified Chinese manufacturers.
- Missing Google Play Protect certification: The Google Play Protect certification indicates that the device has passed Google’s security and compatibility tests. BADBOX-infected devices almost universally run on the Android Open Source Project (AOSP) version without Play Services or certification.
- Unusual or persistent network activity: Infected devices remain active in the background, even when idle. You may notice continuous connections to obscure domains or outbound traffic peaks sensitive to botnet tasks. These devices rarely exhibit obvious app use but generate stealthy, sustained network signals.
FBi recommendations on what you can do now
The advisory outlines steps to mitigate BADBOX infection risks:
- Audit devices: List all IoT-connected gadgets and flag any unknown brands. Open the Play Store app and tap Settings > Play Protect certification. If uncertified, treat it as suspect.
- Avoid unofficial apps: Skip alt‑market or piracy apps, stick to official app stores only.
- Enable Play Protect: Keep signature mechanisms active.
- Update firmware religiously: Patch vulnerabilities in all devices/routers.
- Monitor traffic: Unusual spikes and outbound connections to suspicious domains should be treated as warning signs. Routers with traffic-monitoring tools can also help you flag devices with unusual DNS resolutions or persistent outbound flows.
- Disconnect suspicious devices: If in doubt, isolate or wipe the device.
- Report breaches: File through IC3 at ic3.gov.
The next evolution in BADBOX
Human Security’s threat teams warn that BADBOX 2.0 is an ongoing, growing threat, not a one-off phenomenon: “Every couple of years, people buy new devices, and we expect there will be a BADBOX 3.”
“Until there’s less demand for cheap Android network devices, this is going to be something that the threat actors abuse to continue to make money,” Human Security CISO Gavin Reid added.
Without being cautious and following recommended FBI measures, your inexpensive streaming box could inadvertently become an accomplice in a far-reaching criminal enterprise.