FBI Warning: BADBOX 2.0 Botnet Targeting Home IoT Devices

The Federal Bureau of Investigation (FBI) has issued a public service announcement of a new botnet having a great deal of success in compromising home networks via Internet of Things (IoT) devices, one thought to be controlled by private criminal operators in China with some assistance from an app development company based in Malaysia.

While this botnet is relatively new, it is a sequel of sorts to the group’s prior effort. BADBOX 2.0 supplants the original BADBOX, and has roped in at least two million devices in total.

BADBOX 2.0 often found in questionable apps, preinstalled on Android devices

The original BADBOX is thought to be the work of a criminal outfit called the “SalesTracker Group,” which seems to have connections to manufacturers of assorted lower-cost Android devices in China (mostly TV boxes but also some smartphones and tablets). The group would use this access to pre-install a variant of the Triada malware designed to quietly backdoor these devices and connect them to the botnet, which was first spotted in 2023 and grew to about 150,000 devices before being disrupted in late 2024.

BADBOX 2.0 is much worse; a Google lawsuit filed in mid-2025 indicates the company believes it is composed of over 10 million devices worldwide. This is a much larger operation that has roped in several more specialized criminal groups such as residential proxy specialist “Lemon Group” and Malaysia-based manufacturer LongTV.

The threat actors do appear to be leveraging LongTV and other manufacturers to continue pre-installing malware in devices sent to market, but the massive recovery and expansion is likely chalked up to an increased focus on planting malicious apps in unofficial markets. The enticement to download these that is most frequently used seems to be a promise of free television and movie streaming. The tainted Android TV boxes are often advertised as granting access to pirated content in the same way.

BADBOX may have been hacked by a second criminal group

Follow-up research indicates that operators of a rival botnet may have hacked their way into BADBOX 2.0 and surreptitiously made use of it. The owners of the Kimwolf botnet, which sports about two millions devices, took to social media to show off screenshots of them accessing the BADBOT control panel. They do not appear to have taken control or kicked the original operators out, but rather created their own account with unauthorized access.

BADBOX 2.0 may be present if an app prompts for Google Play protect settings to be disabled, or generates unusual internet traffic. Off-brand devices are also a risk right out of the box, as are TV streaming devices that openly advertise free access to paid content. The FBI advises monitoring of home network internet traffic, keeping all operating systems and other critical apps updated to their latest versions, and avoiding any app downloads that advertise free streaming but especially those that are only available off of official app stores.