KLEVELED, Ohio — Imagine: your television streaming device, digital photo frame, or even a car infotainment system that you purchased at a good price is secretly working against you. These everyday gadgets, cozy in your homes, could be part of a global cybercriminal network known as BADBOX 2.0. In a new warning, the Federal Bureau of Investigation (FBI) is sounding the alarm, stating that millions of Android devices, mostly manufactured in China, are being turned into pawns by hackers who use them for fraud, data theft, and concealing criminal activity. This threat lurking in the shadows of your home network challenges our notions of security in the era of smart technology.
The botnet hiding in gadgets
BADBOX 2.0 is an evolution of malicious software first discovered in 2023 on inexpensive Android devices such as T95 streaming boxes. German law enforcement disrupted the operation in 2024 by intercepting communications between infected devices and the hackers' servers. However, like a phoenix rising from the ashes, the botnet re-emerged in 2025, becoming even more insidious. According to the FBI, over 1.6 million devices across 222 countries—from Brazil to the USA—are already infected, and this number continues to grow.
The majority of affected gadgets are low-cost, uncertified Android devices running on the Android Open Source Project (AOSP), without Google Play Protect security. They include streaming boxes, projectors, digital photo frames, tablets, and even aftermarket automotive systems. Often these devices come pre-installed with malicious software, or infection occurs during setup when users unknowingly download counterfeit apps from unauthorized marketplaces. “This is not just a technical issue; it’s an invasion into our homes,” notes Gavin Reed, Chief Information Security Officer of Human Security, which detected BADBOX 2.0 in March 2025.
Once infected, the device connects to command servers operated by hackers, becoming part of a botnet used for various crimes: from ad fraud, where the gadget secretly “clicks” ads, to proxy networks masking cyberattacks, making them appear as normal home traffic. “Your IP can be used to attack banks or government agencies, and you may not even be aware of it,” warns Fyodor Yarochnyk, senior researcher at Trend Micro.
A global threat from Chinese factories
The FBI emphasizes that most infected devices are manufactured in China, where producers use vulnerable versions of Android that are not certified by Google. Some models, such as TV98 or X96mini, are even linked to Malaysian company Longvision Media, which, according to Human Security, used hidden browsers to simulate gaming activity and display advertisements. The highest infection rates are recorded in Brazil (37.6%), the USA (18.2%), and Mexico (6.3%), where inexpensive gadgets are popular.
This scheme is partially connected to the Chinese Lemon Group, known for using the Triada Trojan, which underpins BADBOX. Human Security researchers identified connections between botnet domains and the Dove Proxy proxy service owned by this group. “It’s not just hackers in a basement; it’s an organized industry earning millions from our devices,” says Emily Walker, a cyber analyst at Shadowserver Foundation, involved in efforts to dismantle the botnet.
Why is this important?
BADBOX 2.0 is not only a technical threat but also a symptom of a broader problem: vulnerabilities in the global technology supply chain. Cheap gadgets flooding the markets often sacrifice security for low cost, and consumers tempted by free content offers become easy targets. In 2024, an attempt by Google, Human Security, and other partners to block communication with 500,000 infected devices only had a temporary effect—within a week, the botnet was back, infecting 192,000 new gadgets, including products from well-known brands like Hisense and Yandex.
For Americans, this threat is especially relevant, as 146,000 infected IP addresses have been recorded in the US. “This isn’t just about your TV; it’s about your privacy and the security of your entire network,” emphasizes FBI Captain James Kelly, who is coordinating the investigation. He adds that the botnet could be used to attack critical infrastructure, from power grids to financial systems.
How to protect yourself?
The FBI urges Americans to check their gadgets for signs of infection: unusual internet traffic, requests to disable Google Play Protect, unknown apps, or pop-up messages offering free content. Experts recommend:
Purchasing only certified devices from reputable brands, avoiding “unlocked” streaming boxes.
Not downloading apps from unofficial marketplaces, even if they promise free access to Netflix or Disney+.
Regularly updating firmware and operating systems, especially after reports of vulnerabilities.
Using antivirus software, such as Bitdefender Mobile Security, and monitoring network traffic with tools like NETGEAR Armor.
If you suspect infection, the FBI advises to immediately disconnect the device from the network and report the incident via the Internet Crime Complaint Center (www.ic3.gov).
A look into the future
While the FBI and cybersecurity experts combat BADBOX 2.0, malicious actors are adapting, hiding malicious software in fake apps on Google Play under names like “Earn Extra Income” or in HTML5 games. This cat-and-mouse game underscores the vulnerability of the modern world, where every connected device is a potential loophole for criminals. For Americans accustomed to trusting their gadgets, this serves as a sobering reminder: in pursuit of cheap technology, we may unknowingly open the door to digital chaos.
