(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

FBI Warns of BADBOX 2.0 Botnet Surge in Chinese Devices

[Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416) , [Endpoint Security](https://www.govinfosecurity.com/endpoint-security-c-506) , [Fraud Management -& Cybercrime](https://www.govinfosecurity.com/fraud-management-cybercrime-c-409)FBI Warns of BADBOX 2.0 Botnet Surge in Chinese Devices=======================================================Over 1 Million Infected Off-Brand Android Devices Pose Global Fraud Risk [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483) ([@prajeetspeaks](https://www.twitter.com/@prajeetspeaks)) • June 7, 2025 [](https://www.bankinfosecurity.com/fbi-warns-badbox-20-botnet-surge-in-chinese-devices-a-28616#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission* ![FBI Warns of BADBOX 2.0 Botnet Surge in Chinese Devices](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/fbi-warns-badbox-20-botnet-surge-in-chinese-devices-showcase_image-8-a-28616.jpg) Low-cost devices infected with BADBOX 2.0 include home projectors, TV streaming devices, digital picture frames and car infotainment systems. (Image: Shutterstock)A China-based botnet operation called BADBOX 2.0 has infected more than 1 million off-brand Android smart devices globally. The FBI is advising consumers to check their home networks for suspicious activity that could be linked to multiple fraud schemes.**See Also:** [Top 10 Technical Predictions for 2025](https://www.govinfosecurity.com/top-10-technical-predictions-for-2025-a-27521?rf=RAM_SeeAlso)In a public service announcement Thursday, the FBI [said](https://www.ic3.gov/PSA/2025/PSA250605) the malware-laced devices, primarily manufactured in China, range from low-cost TV streaming devices and projectors to digital picture frames and car infotainment systems.Most of the devices were compromised before they were shipped to consumers, while others were infected during the initial software setup process through malicious app downloads from unofficial marketplaces.First identified by cybersecurity firm [Human Security](https://www.humansecurity.com/wp-content/themes/human/hubspot/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf) in 2023 and temporarily disrupted in late 2024, the BADBOX campaign has re-emerged with expanded capabilities. BADBOX 2.0 not only infects devices through supply chain backdoors but also spreads through counterfeit apps that mimic popular software. In many cases, cybercriminals trick users into disabling Google Play Protect to install these ‘evil twin’ apps, resulting in further compromise (see: [*Malware-Infested Android Devices Fuel Global Botnet Fraud*](/malware-infested-android-devices-fuel-global-botnet-fraud-a-27654)).Once online, compromised devices are enrolled into a sprawling botnet and residential proxy network. Criminal actors then exploit these proxies to hide malicious traffic and carry out schemes such as click fraud, ad fraud and broader cybercrimes.The infected devices connect to fake HTML5 gaming sites, which are not designed or playing. Instead, they serve up high-paying in-game ads that generate fraudulent ad revenue – all hidden from device users.These devices also offer attackers a stealthy entry point into home networks and turn unsuspecting consumers into part of a global cybercrime operation, the FBI said.The highest concentrations of infected devices have been reported in South America, particularly Brazil. Most affected models are generic brands such as TV98 and GameBox, which are not Play Protect-certified by Google.Some compromised devices and apps appear to have connections to Longvision Media, a Malaysia-based company whose LongTV products were found to launch hidden web browsers that simulate game play to serve ads.Human Security, Trend Micro, Google and the Shadowserver Foundation collaborated to disrupt parts of the infrastructure through sinkholing. But researchers caution the takedown hasn’t fully dismantled the botnet.The FBI advises consumers to avoid off-brand Android devices, refrain from downloading apps from unofficial sources and monitor home network traffic for anomalies. Users should keep device firmware and software up to date and enabling Google Play Protect. ![Prajeet Nair](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/prajeet-nair-largeImage-5-a-3483.jpg) #### [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483)*Assistant Editor, Global News Desk, ISMG* Prajeet Nair is a seasoned cybersecurity journalist with over a decade of experience covering cybersecurity and OT developments in the US and the Asia-Pacific region. As an editor, he has interviewed key decision-makers, including CISOs, CIOs, regulators and law enforcement leaders. Before joining ISMG, Prajeet held editorial roles at The New Indian Express, TechCircle, IDG and the Times Group. He is currently based in Bengaluru, India.[](https://twitter.com/@prajeetspeaks) [](mailto:pnair@ismg.io) ![New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/new-attacks-skyrocketing-costs-true-cost-security-breach-pdf-3-w-14784.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/new-attacks-skyrocketing-costs-true-cost-security-breach-w-14784?rf=RAM_Resources)##### [New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.](https://www.govinfosecurity.com/whitepapers/new-attacks-skyrocketing-costs-true-cost-security-breach-w-14784?rf=RAM_Resources)![OnDemand | North Korea’s Secret IT Army and How to Combat It](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/live-webinar-north-koreas-secret-army-how-to-combat-it-landing_page_image-10-w-6054.jpg) ##### [OnDemand -| North Korea’s Secret IT Army and How to Combat It](https://www.govinfosecurity.com/webinars/ondemand-north-koreas-secret-army-how-to-combat-it-w-6054?rf=RAM_Resources)![The Healthcare CISO’s Guide to Medical IoT Security](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/healthcare-cisos-guide-to-medical-iot-security-pdf-8-w-14368.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/healthcare-cisos-guide-to-medical-iot-security-w-14368?rf=RAM_Resources)##### [The Healthcare CISO’s Guide to Medical IoT Security](https://www.govinfosecurity.com/whitepapers/healthcare-cisos-guide-to-medical-iot-security-w-14368?rf=RAM_Resources)![OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/webinar-2024-phishing-insights-what-119-million-user-behaviors-reveal-about-your-risk-landing_page_image-10-w-5782.jpg) ##### [OnDemand -| 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk](https://www.govinfosecurity.com/webinars/ondemand-2024-phishing-insights-what-119-million-user-behaviors-reveal-w-5782?rf=RAM_Resources)![OnDemand | Everything You Can Do to Fight Social Engineering and Phishing](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/webinar-everything-you-do-to-fight-social-engineering-phishing-landing_page_image-8-w-5694.jpg) ##### [OnDemand -| Everything You Can Do to Fight Social Engineering and Phishing](https://www.govinfosecurity.com/webinars/ondemand-everything-you-do-to-fight-social-engineering-phishing-w-5694?rf=RAM_Resources)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/trump-rewrites-biden-era-cyber-rules-in-new-executive-order-showcase_image-2-a-28617.jpg) [Government](https://www.govinfosecurity.com/government-c-524)##### [Trump Rewrites Cybersecurity Policy in Executive Order](https://www.govinfosecurity.com/trump-rewrites-cybersecurity-policy-in-executive-order-a-28617)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/fbi-warns-badbox-20-botnet-surge-in-chinese-devices-showcase_image-8-a-28616.jpg) [Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416)##### [FBI Warns of BADBOX 2.0 Botnet Surge in Chinese Devices](https://www.govinfosecurity.com/fbi-warns-badbox-20-botnet-surge-in-chinese-devices-a-28616)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/us-supreme-court-grants-doge-unfettered-access-to-ssa-systems-showcase_image-8-a-28614.jpg) [Data Privacy](https://www.govinfosecurity.com/data-privacy-c-151)##### [US Supreme Court Grants DOGE Unfettered Access to SSA Systems](https://www.govinfosecurity.com/us-supreme-court-grants-doge-unfettered-access-to-ssa-systems-a-28614)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/eu-prepares-for-transnational-cyberattacks-showcase_image-4-a-28613.jpg) [Critical Infrastructure Security](https://www.govinfosecurity.com/critical-infrastructure-security-c-525)##### [EU Prepares for Transnational Cyberattacks](https://www.govinfosecurity.com/eu-prepares-for-transnational-cyberattacks-a-28613)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/da-sleep-center-worker-installed-secret-camera-in-bathrooms-showcase_image-7-a-28611.jpg) [Data Privacy](https://www.govinfosecurity.com/data-privacy-c-151)##### [DA: Sleep Center Worker Installed Secret Camera in Bathrooms](https://www.govinfosecurity.com/da-sleep-center-worker-installed-secret-camera-in-bathrooms-a-28611)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By————![Ron Ross](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/ron-ross-smallImage-a-558.jpg) [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*

Related Tags:
Play

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 517 – Telecommunications

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 51 – Information

Blog: GovInfoSecurity

Acquire Infrastructure: Malvertising

Associated Indicators:
null

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us