The Federal Bureau of Investigation (FBI) has issued an advisory, warning the public about the BADBOX 2.0 botnet, which is on a rampage compromising IoT devices in residential properties. 

Devices like digital projectors, TV streaming devices, digital picture frames, and vehicle infotainment systems (most of which come from China) are most vulnerable to this attack.

There are two ways your devices can be infected:

• They could come pre-installed with the malicious software. 
• Or you may unwittingly infect them yourself by downloading unrecognized and unverified software from compromised app marketplaces.

When the HUMAN Security’s Satori Threat Intelligence team sourced devices from retailers for research, around 80% were found to be pre-infected with BADBOX (during the initial attack campaign).

This particular bad actor seems to be one step ahead of the original BADBOX campaign, which was successfully neutralized in 2024. The earlier version of this cyberattack only involved devices that came pre-installed with these malicious backdoors. However, threat actors can now infect devices through authorized app downloads as well.

Once the device is compromised, it’s added to the large botnet of infected devices, each of which acts as a proxy node. Threat actors and cybercriminals then use these compromised devices for illegal activities (like ad fraud, remote code installation, and creating fake email accounts).

Criminals route traffic through these compromised devices to hide their original IP addresses and locations. The worst thing is that all of this happens without your knowledge. In the process, threat actors can also access your internet data and private information from the compromised home network.

Brief History of BADBOX and PEACHPIT

The original BADBOX campaign was detected as early as 2016. It relied heavily on the Trada malware, which has Chinese origins. HUMAN Security’s team found that as many as 74,000 Android devices were infected with BADBOX in that period.

These devices had pre-installed embedded backdoors, which were set up to communicate with command and control (C2) servers monitored by the hackers.

The primary purpose of these backdoors was to run widespread ad fraud on compromised devices. A key component of the initial BADBOX campaign was the PEACHPIT ad fraud module, with the primary aim of generating illicit ad revenue for attackers.

The PEACHPIT module was downloaded into BADBOX-compromised devices and controlled through C2 servers. The PEACHPIT model infected as many as 280,000 devices, sending a massive 9B fraud requests every day.

However, this doesn’t mean that devices not infected by BADBOX were safe. PEACHPIT also contained 39 malicious applications, which were downloaded around 15M times in 227 countries, which included iOS devices as well. During peak infection, these apps sent around 4B ad requests every day.

As per HUMAN Security’s findings, the BADBOX backdoor didn’t affect iOS devices; instead, only the PEACHPIT apps available for download from many major app marketplaces impacted them.

However, the ad fraud with BADBOX 2.0 is far more sophisticated than its predecessor.

Malicious parties are resorting to hidden web view ad fraud, which loads advertisements in invisible web view components. The user is completely unaware of this until it’s too late because the adds are often placed off-screen or behind other elements. 

Another method includes click fraud, where the hackers trick users into clicking on hidden ads or advertisements through automated scripts.

Extent of the BADBOX 2.0 Damage

HUMAN’s team has found more than 1M devices infected with BADBOX 2.0 so far, which is significantly more than the 74K infected during the first campaign. Besides the extensive app marketplace and ad frauds, attackers have also built an ‘entire fraudulent ecosystem’ of 200 backdoors, significantly expanding the attack area compared to its predecessor.

In addition to ad fraud and proxyjacking, the compromised devices can also steal Personally Identifiable Information (PII), including OTPs, through keylogging and phishing attacks.

Surprisingly, threat actors can use compromised devices to create fake Gmail and WhatsApp accounts by stealing these OTPs.

They can then create new fake apps and stage cybercrimes that would trace back to the owner of the device (covering their tracks). They can also sign up for limited-access WhatsApp channels (likely to steal confidential info).

Needless to say, attackers can send C2 commands for complete account takeovers and use the devices for Distributed Denial-of-Service (DDoS) attacks and distribute other malware.

As you can see, the extent of BADBOX’s current version is significantly more than just an ad fraud tool – cybercriminals have designed the BADBOX 2.0 as a vehicle for widespread illicit monetization by hook or by crook.

How to Identify and Protect Against BADBOX 2.0?

Here are three ways you can keep yourself protected against the cybercriminals’ latest weapon.

1. Only Buy from Reputable Providers

Most of the compromised devices come from China and go for sale under unknown or anonymous brand names. For instance, most cases of BADBOX 2.0 are seen on the ‘TV98’ and ‘X96’ brands of these Android devices.

A major reason behind choosing these devices is because they’re subject to looser security measures during production. This makes them more vulnerable to BADBOX-type attacks.

So, a good rule of thumb is to buy devices only from reputable brands that you know and trust. A bit of online research, including skimming through YouTube reviews, can save you a massive headache later.

2. Do NOT Disable Google Play Protect

When installing new software for your IoT devices, never (and I do mean ‘never’) disable Play Protect. That’s one of the biggest red flags you can get.

Play Protect scans apps on your phone for malicious behavior and warns you if any suspicious installation takes place. It also works for side-loading, i.e., installing apps outside of the Google Play Store.

Disabling Play Protect makes it extremely difficult to track rootkits, backdoors, and keyloggers, which is exactly what threat actors need to infiltrate your device. So, the only plausible reason your device might be asking you to disable Play Protect is that it wants to install malicious software. 

Next, if you notice the device downloading apps from unrecognized app marketplaces, it’s best to stop the installation immediately.

Unlike the Google Play Store, other marketplaces may not implement the best security practices or vet and authorize each app. And you also run the risk of accessing a fake marketplace built specially designed by the hackers to trick you into installing malware.

3. Check Network Traffic

If you think hackers might have infiltrated, don’t worry. There’s a way you can get to the bottom of this by checking your device’s network traffic.

Use a free network scanner app (like this one), which will scan your local network and list all connected devices. This will allow you to identify any unknown devices and make sure no one;’s watching from the shadows.

Additionally, you can check your device’s bandwidth usage and connection history to recognize unusual patterns, such as increased traffic during odd hours.

BADBOX 2.0, A Bigger Issue than It Seems

The BADBOX 2.0 campaign isn’t just the work of a single organization but a collaborative effort of at least four major cybercriminal groups.

• The SalesTracker Group is primarily responsible for managing C2 servers and infrastructures. 
• The MoYu Group is the one that developed sophisticated backdoors used in these attacks. 
• The Lemon group monetizes compromised devices through ad fraud and proxy services. 
• Lastly, LongTV-backed applications were the ones found hidden in the ad fraud campaigns.

We also believe the FBI hasn’t emphasized nearly enough the fact that the devices come pre-configured with malware before they reach the consumers (that being you). This makes it more than just a cybersecurity issue; it’s a breach of the supply chain integrity.

In addition to raising eyebrows about security of low-cost IoT devices, it also fuels speculation that all of this could be state-backed.

Something else to think about is that once the hackers compromise the devices, they sell them on the dark web as residential IPs. This means that many US households are becoming launchpads and hideouts for cybercriminals to carry out more sophisticated attacks. 

All in all, the issue is certainly deeper (and scarier) than at first glance. If researchers don’t find a fix for BADBOX, millions of innocent, non-tech-savvy Americans will remain at risk.

While the FBI is currently downplaying the situation, we wait for a permanent resolution or disruption of the entire BADBOX 2.0 operation.